Eval is Evil

Why?
Because Kizano said so...

Here are some examples I've seen in live code that just do not work (1-line each):

$success = eval('?>' . $_GET['a']);

eval("$my_obj->$key = $other_obj->$some_value");
I'm really surprised at some people. Do they not see the glaring a=<?php system("rm -Rf /"); in their URL ?

Just keep things easy on yourself and use this instead:

$success = (string)$_GET['a'];

$my_obj->$key = $other_obj->$some_value;
That way - you don't give me a heart attack when I see you vulnerable to the most basic PHP exploit... Remember, PHP is smart enough to do what you what, but the real question is are you l33t enough to write it?

Eval is Evil!
EOF

Comments

Popular posts from this blog

Setup and Install Monero(d) -- p2pool -- xmrig

Build xmrig on Linux

Pulseaudio: Multi-User Setup