[pmwiki-devel] eval function
The Editor
editor at fast.st
Tue Dec 12 04:33:39 CST 2006
On 12/12/06, Stefan Schimanski <sts at 1stein.org> wrote:
> "The Editor" <editor at fast.st> writes:
>
> > I'm trying to make it easier for admins to write their own zap
> > modules, but can't seem to get this line to work:
> > eval("ZAP$mod($field, $value)");
>
> Quoting http://de.php.net/manual/en/function.eval.php
>
> Remember that the string passed must be valid PHP code,
> including things like terminating statements with a semicolon so
> the parser doesn't die on the line after the eval()
>
> Not sure if that's the reason, but they talk about the semicolon
> which is mandatory.
>
> > eval("ZAP$mod('" . $field . "', '" . $value . "')");
That was it Stefan, it is working now. Very nice. Other admins will
now be able to create other zap modules they only need to enable in a
config to get to work. Still make other significant changes so it may
be awhile before it is released...
> I don't know where $value is coming from. But if it is supplied by
> the client, you should think about escaping. Otherwise your code
> is a security hole because you can set $value to something like
>
> foo'); do-something-nasty(); print('
>
> which results in
>
> eval("ZAPfiles('field', 'foo'); do-something-nasty();
> print('')");
Thanks for pointing this out. I was very hesitant to use the eval
function for fear I might introduce some risk... What a great list!
Can you explain how to escape it, so it can be used safely? Maybe
something like str_replace the closing apostrophe to its html code
equivalent, so a user value cannot close the string? Is that what you
mean?
Cheers,
Dan
More information about the pmwiki-devel
mailing list