How dangerous is eval() and is there a way to enable it on one account?

Liam W

Active Member
Jul 8, 2012
33
0
6
UK
cPanel Access Level
Root Administrator
Twitter
So, I have been reading through the internet and most sites agree that the eval() php function is very dangerous.

So, my question is this:

Just how dangerous is the eval() function? What makes it so dangerous?

My second question is this:

Is there a way to give a WHM account it's own private php installation? The reason I ask is that vBulletin requires the eval() command, so I cannot globally disable it however it looks as if it would be a good idea to have it disabled.

What do you all think?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
The eval function, regardless of language, in itself is not dangerous. The danger comes from how it is used. Eval functions are often used to create an executable portion of the application that is not known when the application is written or executed.

For example an eval could be used to load the appropriate module, or sub-system, based upon choices made during application usage. This use allows the application to consume less memory when running because it is only loading what is needed.

What often happens, though, is the information passed to the eval function contains data that was supplied by, or able to be modified by, the user. Applications should never trust user data until it is passed through proper sanitization methods. If the user supplied data is inadequately sanitized prior to being used by the eval function, then it is possible for a malicious user to do unintended things.
 

Liam W

Active Member
Jul 8, 2012
33
0
6
UK
cPanel Access Level
Root Administrator
Twitter
The eval function, regardless of language, in itself is not dangerous. The danger comes from how it is used. Eval functions are often used to create an executable portion of the application that is not known when the application is written or executed.

For example an eval could be used to load the appropriate module, or sub-system, based upon choices made during application usage. This use allows the application to consume less memory when running because it is only loading what is needed.

What often happens, though, is the information passed to the eval function contains data that was supplied by, or able to be modified by, the user. Applications should never trust user data until it is passed through proper sanitization methods. If the user supplied data is inadequately sanitized prior to being used by the eval function, then it is possible for a malicious user to do unintended things.
Thanks for that, bit easier to understand now :)