pittendrigh Posted March 8, 2015 Share Posted March 8, 2015 I have a home-rolled CMS that often sucks in HTML file fragments as the contents of an arbitrary block element on the current page. When HTML fragments contain images the img link all too often breaks when directories (relative to the DOCUMENT_ROOT) get moved around. My processor looks for back ticks in fragments. If they exist it parses that sub-fragment and writes out a dynamic path to the current image using a _SESSION variable. So now, if images are stored relative to the current page I can move directories from here to there and everything still works. Still displays. <img src="`$_SESSION['currentClickDirUrl'];`/hidden/someimage.jpg" alt="someimage"/> ...ends up using eval($cmd) to write out a dynamic image URL function processBackTics($str) { $ret = ''; if(!strstr($str,'`')) return ''; $pos1 = strpos($str, '`'); $ret .= substr($str, 0, $pos1); $rest = substr($str, $pos1 + 1); $pos2 = strpos($rest, '`'); $cmd = substr($str, $pos1 + 1, $pos2); if ($cmd != null) { ob_start(); eval($cmd); $ret .= ob_get_contents(); @ob_end_clean(); } $rest = substr($rest, $pos2 + 1); if (strstr($rest, '`')) $ret .= $this->processBackTics($rest); else $ret .= $rest; return($ret); } I think this code can never be evaluated unless it comes from a file_get_contents($path) on my server. And I have lots of code to clean all incoming GET and POST parameters. So. Is this dangerous? I've been running it for a good five years and never been hacked. But I do have a low traffic non-ecommerce site. Quote Link to comment https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/ Share on other sites More sharing options...
Solution kicken Posted March 8, 2015 Solution Share Posted March 8, 2015 It may not be dangerous per-say if you can guarantee it only ever runs your files and never anything submitted by another person. It's still not good either. For what you mentioned as your needs, all you really need to do is implement a simple find and replace system. <img src="{CURRENT_DIR}/hidden/someimage.jpg" alt="someimage"> $code = file_get_contents($file); $code = str_replace('{CURRENT_DIR}', $_SESSION['currentClickDirUrl'], $code); echo $code; Quote Link to comment https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/#findComment-1507901 Share on other sites More sharing options...
pittendrigh Posted March 8, 2015 Author Share Posted March 8, 2015 Ouch. Did I really miss the forest because of all the trees? Yes. I'll do a string replace. Quote Link to comment https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/#findComment-1507911 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.