Eval() is not a function in PHP. How to be?

A

AntonioK2011-03-10 12:52:49

PHP

AntonioK, 2011-03-10 12:52:49

In PHP, eval() is not a function: "Because this is a language construct and not a function, it cannot be called using variable functions" ( link ).
The disable_functions option in php.ini does not affect eval().
How to disable eval() without resorting to safe mode?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

K

Kane, 2011-03-10
@AntonioK

Maybe this will help you www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval

Y

YourChief, 2011-03-10
@YourChief

maybe just put a suhosin-patch that disables it and does other useful things?

A

AFoST, 2011-03-10
@AFoST

besides eval, there are a bunch of other ways to execute php code.
for example:
1. $newfunc = create_function('', '};phpinfo();//');
2. preg_replace with the /e
modifier 3. backticks: `ls -lia`
4. and a bunch of other tricks...

G

Gibbzy, 2011-03-10
@gibbzy

the correct answer is never to use eval.
In most cases, this is
php.net/manual/en/function.call-user-func.php
If you can't do without eval(), then something in your code is wrong.