[UPHPU] HTML/PHP via eval()

Mac Newbold mac at macnewbold.com
Mon Aug 29 12:04:57 MDT 2005 

Saturday at 10:31am, Jacob Wright said:

> Starting out the string with the '?>' closes PHP mode and will even work
> with pages that start with PHP, since they'll need to open PHP mode anyway.
>
> <?php
> // get session vars, set up stuff, etc.
> ?>
> <html>
> <head>
> <title><?php echo $title; ?></title>
> ....
>
> The eval will be: eval('?><?php //get session vars...etc.');

If you have the content you're trying to eval() in a file already, try 
using include() instead. That's generally the more typical way to do it.

>> eval() is assuming that you are already starting in PHP mode, so you'll
>> have a heck-a-time trying to parse through the whole string to modify it to
>> work and it will also be innefficient. I just tested this out, so I'm not
>> sure if it works in all cases, but, if you want to eval a PHP page, then
>> just add a ?> in front of the string. Here is an example:
>>
>> eval('?><html><body><?php echo "hello world!" ?></body></html>');

If you don't have the content in a file, and don't want to put it in one, 
then this looks like it will work fine.

One very important thing to remember about eval() is that it is extremely 
easy to open huge gaping security holes with it. If _any_ of the data that 
you're eval()ing is coming from user input, cookies, post/get variables, 
etc., then you have a big problem. The user can now execute whatever code 
they want on your server. That means they can get all your files, anything 
that php can get to. This could mean database passwords, e-commerce magic 
bits (i.e. for your payment gateway account), credit cards numbers, etc. 
By reading and writing files in your web directory, they could even get 
copies of all your PHP source, and replace it with modified versions of 
their choosing. That could be used to "trojan" your site, so that they can 
steal passwords, credit card info, or whatever.

So always be extremely careful when you're using eval(). When in doubt 
about the security of your code (which should be almost always, when 
you're using eval()), ask on the list for some people to review it for 
you. It will save you a lot of headaches.

And congrats on becoming a poster instead of just a lurker! :)

Thanks,
Mac

--
Mac Newbold		MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com	http://www.macnewbold.com/

More information about the UPHPU mailing list