PHP Eval Function and Security Risks
Foreword: PHP has a special function called the eval function. In this tutorial, I explain how the eval function operates.
By: Chrysanthus Date Published: 23 Jan 2019
Introduction
Argument
The argument in parentheses to the eval function is a string of statements.
Variable
Exceptionally, the variable $ in double quoted string is escaped, while the variable $ in single quoted string is not escaped. Try the following code:
<?php
eval("\$variab = 'a thing';");
echo $variab;
?>
The output is:
a thing
The eval function always has one string as argument. In this code, there is only one statement in the string. The string is of double quotes. The statement in the string is:
$variab = 'a thing';
Note the terminating semicolon in the argument. Also note the escaping of the $ symbol in the statement of the argument. In this code the eval function has returned null (nothing).
The eval function evaluates the statements of its argument. Below the eval function, the variables can be accessed.
Try the following code where the argument string is of single quotes:
<?php
eval('$variab = "a thing";');
echo $variab;
?>
The output is:
a thing
The eval function always has one string as argument. In this code, there is still only one statement in the string. The string now is of single quotes. The statement in the string is:
$variab = "a thing";
Since the overall string is in single quotes, the quoted string within, is in double quotes. Note the terminating semicolon in the argument. This time the $ symbol for the statement has not been escaped. The eval function has returned null in this code.
The eval function evaluates the statements of its argument. Below the eval function, the variables can be accessed.
The eval function is a call, whose single argument is a string of statements. As a function call, it ends with a semicolon.
More than One Statement
The following code has a number of statements in a single quoted string. Try it:
<?php
eval('
$x = 2;
$y = 3;
$z = $x + $y; #the sum
echo $z;
');
?>
The eval function can even take a comment. The output is:
5
Note that the echo construct (in the string argument) is not a return statement; it is just a statement in its own right.
Argument with Return Statement
If the eval() function has no return statement, null is returned. The above eval() function returns null. The echo statement is not a return statement. When the eval function returns a value, the value can be received by a variable, in the normal way. Try the following code:
<?php
$varia = eval("
\$x = 2;
\$y = 3;
\$z = \$x * \$y; #the product
return \$z;
");
echo $varia;
?>
This time, the overall string is in double quotes. So the variables of the string are escaped. The returned value of the eval() function is received by $varia. After the eval() function, the returned value is displayed. The output is:
6
Variables before eval() function Parentheses
In the following code, the variables are defined before the eval() function parentheses:
<?php
$x = 2;
$y = 3;
eval('
$z = $x + $y; #the sum
echo $z;
');
?>
The output is:
5
The following code is the same as the previous, but this time, double quotes for the overall string is used:
<?php
$x = 2;
$y = 3;
$varia = eval("
\$z = \$x * \$y; #the product
return \$z;
");
echo $varia;
?>
The output is:
6
mixed eval ( string $code )
Evaluates the given code as PHP.
code
Valid PHP code to be evaluated.
The code must not be wrapped in opening and closing PHP tags, i.e. 'echo "Hi!";' must be passed instead of '<?php echo "Hi!"; ?>'. It is still possible to leave and re-enter PHP mode though using the appropriate PHP tags, e.g. 'echo "In PHP mode!"; ?>In HTML mode!<?php echo "Back in PHP mode!";'.
Apart from that the passed code must be valid PHP. This includes that all statements must be properly terminated using a semicolon. 'echo "Hi!"' for example will cause a parse error, whereas 'echo "Hi!";' will work.
A return statement will immediately terminate the evaluation of the code.
The code will be executed in the scope of the code calling eval(). Thus any variables defined or changed in the eval() call will remain visible after it terminates.
eval() returns NULL unless return is called in the evaluated code, in which case the value passed to return is returned. As of PHP 7, if there is a parse error in the evaluated code, eval() throws a ParseError exception. Before PHP 7, in this case eval() returned FALSE and execution of the following code continued normally.
Security Risks
Note: In case of a fatal error in the evaluated code, the whole script exits.
Warning: The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
That is it for this part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links