Comments on: Avoiding EVAL()

By: Žilvinas

Žilvinas — Tue, 10 Feb 2009 11:37:43 +0000

On the other hand this shows a nice exploit when eval is disabled. You could easily inject your code to execute by exploiting a bug with dynamic variable includes.

By: Davey Shafik

Davey Shafik — Wed, 04 Feb 2009 00:58:24 +0000

This is quite obvious; there is a base64_encode() and a base64_decode() involved in my solution. However, benchmarks in userland are inherently flawed.

By: Matt

Matt — Wed, 04 Feb 2009 00:02:01 +0000

Lookie:

http://pastebin.com/f6662eb57

eval() is significantly faster than include() – on my computer it’s a difference of about 35%.

By: EllisGL

EllisGL — Tue, 03 Feb 2009 13:36:32 +0000

There’s a lot of pay scripts that are eval base64 encoded.. Could use this to no use eval.. Still insecure.

By: links for 2009-02-02 — Mior Muhammad Zaki: PHP & JavaScript Programmer

links for 2009-02-02 — Mior Muhammad Zaki: PHP & JavaScript Programmer — Tue, 03 Feb 2009 05:30:42 +0000

[...] Avoiding EVAL() (tags: PHP) [...]

By: Davey Shafik

Davey Shafik — Tue, 03 Feb 2009 04:39:34 +0000

I never claimed it was useful. And there certainly is no *serious* use case; I just enjoy bending the language

By: Timothy

Timothy — Mon, 02 Feb 2009 18:04:37 +0000

man… and I thought I wrote sinister code! Thanks for sharing, Davey.

By: Andrei

Andrei — Mon, 02 Feb 2009 17:40:58 +0000

Silly and completely useless. I don’t see an serious use case for this “feature”.

By: gasper_k

gasper_k — Mon, 02 Feb 2009 08:23:04 +0000

Yes, I’ve re-checked it, and it seems it was introduced in 5.2, not in 5.1 as I previously posted.

By: Davey Shafik

Davey Shafik — Mon, 02 Feb 2009 00:56:30 +0000

As Johannes pointed out, it was also added in 5.2; it was a typo on my part