Eval is Evil

Because Kizano said so...

Here are some examples I've seen in live code that just do not work (1-line each):

$success = eval('?>' . $_GET['a']);

eval("$my_obj->$key = $other_obj->$some_value");
I'm really surprised at some people. Do they not see the glaring a=<?php system("rm -Rf /"); in their URL ?

Just keep things easy on yourself and use this instead:

$success = (string)$_GET['a'];

$my_obj->$key = $other_obj->$some_value;
That way - you don't give me a heart attack when I see you vulnerable to the most basic PHP exploit... Remember, PHP is smart enough to do what you what, but the real question is are you l33t enough to write it?

Eval is Evil!

No comments:

Post a Comment