[pmwiki-devel] eval function

The Editor editor at fast.st
Tue Dec 12 04:33:39 CST 2006

On 12/12/06, Stefan Schimanski <sts at 1stein.org> wrote:
> "The Editor" <editor at fast.st> writes:
> > I'm trying to make it easier for admins to write their own zap
> > modules, but can't seem to get this line to work:
> > eval("ZAP$mod($field, $value)");
> Quoting http://de.php.net/manual/en/function.eval.php
>  Remember that the string passed must be valid PHP code,
>  including things like terminating statements with a semicolon so
>  the parser doesn't die on the line after the eval()
> Not sure if that's the reason, but they talk about the semicolon
> which is mandatory.
> > eval("ZAP$mod('" . $field . "', '" . $value . "')");

That was it Stefan, it is working now.  Very nice.  Other admins will
now be able to create other zap modules they only need to enable in a
config to get to work.  Still make other significant changes so it may
be awhile before it is released...

> I don't know where $value is coming from. But if it is supplied by
> the client, you should think about escaping. Otherwise your code
> is a security hole because you can set $value to something like
>  foo'); do-something-nasty(); print('
> which results in
>  eval("ZAPfiles('field', 'foo'); do-something-nasty();
>  print('')");

Thanks for pointing this out.  I was very hesitant to use the eval
function for fear I might introduce some risk...  What a great list!

Can you explain how to escape it, so it can be used safely?  Maybe
something like str_replace the closing apostrophe to its html code
equivalent, so a user value cannot close the string?  Is that what you


More information about the pmwiki-devel mailing list