How can safely use eval in php?

Question

How can safely use eval in php?

I know that some people may just answer "never" until user input. But suppose I have something like this:

$version = $_REQUEST['version'];
$test = 'return $version > 3;';
$success = eval($test);

This is obviously a simplified case, but is there anything that the user can enter how versionto make it do something malicious? If I limit the type of lines that I $testcan take to compare the value of some variables with other variables, is there any way that anyone can see to use this?

Edit

I tried running the script on the server and nothing happens:

<?php
  $version = "exec('mkdir test') + 4";
  $teststr = '$version > 3;';
  $result = eval('return ' . $teststr);
  var_dump($result);
?>

, , bool(false). . , exec('mkdir test') , . , , , , , .

+3

eval php

Ed Marty 09 . '10 15:39

6

, !

$version = "exec('rm-rf/...') + 4"; // Return 4 so the return value is "true" 
                                    // after all, we're gentlemen!
$test = "return $version > 3"; 
eval($test);

:)

filter_var() is_numeric() .

, eval ( $success) PHP. eval() ed.

+3

Pekka 웃 09 . '10 15:43

, . $version = (int)$_REQUEST['version']; .

+1

Brad Christie 09 . '10 15:43

, $version , eval.

0

FrustratedWithFormsDesigner 09 . '10 15:42

"" "". , ,

exec("rm -rf /");

echo "enlarge your rolex!";

while(true) echo "*";

"" , . , # 1, .

-1

user187291 09 . '10 16:15

, , (0-9): preg_replace ('/[^ 0-9] +/', '', $version);

-2

Nahiyan 11 . '12 13:08

DampeS8N · Accepted Answer · 2010-12-09T15:47:32+0000

. ints.

, .

, . !

, , , , , . !

How can safely use eval in php?

More articles: