[pmwiki-devel] eval function
Stefan Schimanski
sts at 1stein.org
Tue Dec 12 02:15:29 CST 2006
"The Editor" <editor at fast.st> writes:
> I'm trying to make it easier for admins to write their own zap
> modules, but can't seem to get this line to work:
> eval("ZAP$mod($field, $value)");
Quoting http://de.php.net/manual/en/function.eval.php
Remember that the string passed must be valid PHP code,
including things like terminating statements with a semicolon so
the parser doesn't die on the line after the eval()
Not sure if that's the reason, but they talk about the semicolon
which is mandatory.
> eval("ZAP$mod('" . $field . "', '" . $value . "')");
I don't know where $value is coming from. But if it is supplied by
the client, you should think about escaping. Otherwise your code
is a security hole because you can set $value to something like
foo'); do-something-nasty(); print('
which results in
eval("ZAPfiles('field', 'foo'); do-something-nasty();
print('')");
Schimmi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : /pipermail/pmwiki-devel/attachments/20061212/f9b079e8/attachment.bin
More information about the pmwiki-devel
mailing list