[UPHPU] HTML/PHP via eval()
mac at macnewbold.com
Mon Aug 29 12:04:57 MDT 2005
Saturday at 10:31am, Jacob Wright said:
> Starting out the string with the '?>' closes PHP mode and will even work
> with pages that start with PHP, since they'll need to open PHP mode anyway.
> // get session vars, set up stuff, etc.
> <title><?php echo $title; ?></title>
> The eval will be: eval('?><?php //get session vars...etc.');
If you have the content you're trying to eval() in a file already, try
using include() instead. That's generally the more typical way to do it.
>> eval() is assuming that you are already starting in PHP mode, so you'll
>> have a heck-a-time trying to parse through the whole string to modify it to
>> work and it will also be innefficient. I just tested this out, so I'm not
>> sure if it works in all cases, but, if you want to eval a PHP page, then
>> just add a ?> in front of the string. Here is an example:
>> eval('?><html><body><?php echo "hello world!" ?></body></html>');
If you don't have the content in a file, and don't want to put it in one,
then this looks like it will work fine.
One very important thing to remember about eval() is that it is extremely
easy to open huge gaping security holes with it. If _any_ of the data that
you're eval()ing is coming from user input, cookies, post/get variables,
etc., then you have a big problem. The user can now execute whatever code
they want on your server. That means they can get all your files, anything
that php can get to. This could mean database passwords, e-commerce magic
bits (i.e. for your payment gateway account), credit cards numbers, etc.
By reading and writing files in your web directory, they could even get
copies of all your PHP source, and replace it with modified versions of
their choosing. That could be used to "trojan" your site, so that they can
steal passwords, credit card info, or whatever.
So always be extremely careful when you're using eval(). When in doubt
about the security of your code (which should be almost always, when
you're using eval()), ask on the list for some people to review it for
you. It will save you a lot of headaches.
And congrats on becoming a poster instead of just a lurker! :)
Mac Newbold MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com http://www.macnewbold.com/
More information about the UPHPU