[pmwiki-devel] eval function

Stefan Schimanski sts at 1stein.org
Tue Dec 12 02:15:29 CST 2006

"The Editor" <editor at fast.st> writes:

> I'm trying to make it easier for admins to write their own zap 
> modules, but can't seem to get this line to work: 
> eval("ZAP$mod($field, $value)"); 

Quoting http://de.php.net/manual/en/function.eval.php

  Remember that the string passed must be valid PHP code, 
  including things like terminating statements with a semicolon so 
  the parser doesn't die on the line after the eval()

Not sure if that's the reason, but they talk about the semicolon 
which is mandatory.

> eval("ZAP$mod('" . $field . "', '" . $value . "')"); 

I don't know where $value is coming from. But if it is supplied by 
the client, you should think about escaping. Otherwise your code 
is a security hole because you can set $value to something like

  foo'); do-something-nasty(); print('

which results in 

  eval("ZAPfiles('field', 'foo'); do-something-nasty(); 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : /pipermail/pmwiki-devel/attachments/20061212/f9b079e8/attachment.bin 

More information about the pmwiki-devel mailing list