Jump to content

question about the danger of eval

pittendrigh

By pittendrigh
in PHP Coding Help

Recommended Posts

pittendrigh Newbie

pittendrigh

Posted
Posted

I have a home-rolled CMS that often sucks in HTML file fragments as the contents of an arbitrary block element on the current page.  When HTML fragments contain images the img link all too often breaks when directories (relative to the DOCUMENT_ROOT)  get moved around. 

 

My processor looks for back ticks in fragments.  If they exist it parses that sub-fragment and writes out a dynamic path to the current image using a _SESSION variable. So now, if images are stored relative to the current page I can move directories from here to there and everything still works.  Still displays.

 

  <img src="`$_SESSION['currentClickDirUrl'];`/hidden/someimage.jpg" alt="someimage"/>

 

...ends up using eval($cmd) to write out a dynamic image URL

 

    function processBackTics($str) {
        $ret = '';
        if(!strstr($str,'`'))
           return '';
 
        $pos1 = strpos($str, '`');
        $ret .= substr($str, 0, $pos1);
 
        $rest = substr($str, $pos1 + 1);
        $pos2 = strpos($rest, '`');
 
        $cmd = substr($str, $pos1 + 1, $pos2);
 
        if ($cmd != null) {
            ob_start();
            eval($cmd);
            $ret .= ob_get_contents();
            @ob_end_clean();
        }
 
        $rest = substr($rest, $pos2 + 1);
        if (strstr($rest, '`'))
            $ret .= $this->processBackTics($rest);
        else
            $ret .= $rest;
        return($ret);
    }
 
I think this code can never be evaluated unless it comes from a file_get_contents($path) on my server.   And I have lots of code to clean all incoming GET and POST parameters.
 
So.  Is this dangerous?  I've been running it for a good five years and never been hacked.  But I do have a low traffic non-ecommerce site.
 

 

 

Link to comment
https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

It may not be dangerous per-say if you can guarantee it only ever runs your files and never anything submitted by another person.

 

It's still not good either. For what you mentioned as your needs, all you really need to do is implement a simple find and replace system.

<img src="{CURRENT_DIR}/hidden/someimage.jpg" alt="someimage">

$code = file_get_contents($file);
$code = str_replace('{CURRENT_DIR}', $_SESSION['currentClickDirUrl'], $code);
echo $code;

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.