Avoiding EVAL()


There are a shed-load of ways to “eval()” code without actually calling the eval() function — usually done simply to avoid the use of the dreaded “evil()” function.

Here is another simple way to avoid eval() without writing out files to the filesystem etc:

1 2 3 4
$code = '<?php echo "Hello World"; ?>';
include('data:text/plaintext;base64,' . base64_encode($code));
view raw data-stream.php hosted with ❤ by GitHub

This uses the new data: stream wrapper (see RFC2397) that was introduced with PHP 5.2.0; and while this seems like a risk, first: The “attacker” already has access to the code on your system, or you’re open to injection anyway, second: PHP 5.2 has also fixed the problem with the introduction of the  “allow_url_includephp.ini option.

I just thought it was a neat little streams “hack” I would share; I originally thought to do it using the var stream from PHP’s stream_wrapper_register() documentation, but then Evert Pot posted about creating streams from strings using the data: stream, which led to this final “solution”.

12 thoughts on “Avoiding EVAL()

    • Davey Shafik

      This is quite obvious; there is a base64_encode() and a base64_decode() involved in my solution. However, benchmarks in userland are inherently flawed.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>