jcuenod jcuenod - 1 year ago 85
PHP Question

Is "return eval" evil?

Given the statement

$someValue = eval("return \$$userSetting;");

How could
be dangerous? It seems the worst it could do is expose variables but that is actually what it's supposed to be doing in this code. Is there some way to execute arbitrary code with PHP's variable variables?

Answer Source

You can easily invoke an arbitrary function (to be more precise - an arbitrary expression) there:

$userSetting = 'userSetting && print(123)';

This would work in all (?) php versions.

With php7 it becomes even more convenient since you can call an anonymous function in-place:

$userSetting = 'userSetting && (function() { do whatever you want })();';
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download