pittendrigh Posted March 8, 2015 Share Posted March 8, 2015 I have a home-rolled CMS that often sucks in HTML file fragments as the contents of an arbitrary block element on the current page. When HTML fragments contain images the img link all too often breaks when directories (relative to the DOCUMENT_ROOT) get moved around. My processor looks for back ticks in fragments. If they exist it parses that sub-fragment and writes out a dynamic path to the current image using a _SESSION variable. So now, if images are stored relative to the current page I can move directories from here to there and everything still works. Still displays. <img src="`$_SESSION['currentClickDirUrl'];`/hidden/someimage.jpg" alt="someimage"/> ...ends up using eval($cmd) to write out a dynamic image URL function processBackTics($str) { $ret = ''; if(!strstr($str,'`')) return ''; $pos1 = strpos($str, '`'); $ret .= substr($str, 0, $pos1); $rest = substr($str, $pos1 + 1); $pos2 = strpos($rest, '`'); $cmd = substr($str, $pos1 + 1, $pos2); if ($cmd != null) { ob_start(); eval($cmd); $ret .= ob_get_contents(); @ob_end_clean(); } $rest = substr($rest, $pos2 + 1); if (strstr($rest, '`')) $ret .= $this->processBackTics($rest); else $ret .= $rest; return($ret); } I think this code can never be evaluated unless it comes from a file_get_contents($path) on my server. And I have lots of code to clean all incoming GET and POST parameters. So. Is this dangerous? I've been running it for a good five years and never been hacked. But I do have a low traffic non-ecommerce site. Link to comment https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/ Share on other sites More sharing options...
kicken Posted March 8, 2015 Share Posted March 8, 2015 It may not be dangerous per-say if you can guarantee it only ever runs your files and never anything submitted by another person. It's still not good either. For what you mentioned as your needs, all you really need to do is implement a simple find and replace system. <img src="{CURRENT_DIR}/hidden/someimage.jpg" alt="someimage"> $code = file_get_contents($file); $code = str_replace('{CURRENT_DIR}', $_SESSION['currentClickDirUrl'], $code); echo $code; Link to comment https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/#findComment-1507901 Share on other sites More sharing options...
pittendrigh Posted March 8, 2015 Author Share Posted March 8, 2015 Ouch. Did I really miss the forest because of all the trees? Yes. I'll do a string replace. Link to comment https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/#findComment-1507911 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.