The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How dangerous is eval() and is there a way to enable it on one account?

Discussion in 'Security' started by Liam W, Jan 4, 2013.

  1. Liam W

    Liam W Active Member

    Joined:
    Jul 8, 2012
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Barrow-in-Furness, Cumbria, United Kingdom
    cPanel Access Level:
    Root Administrator
    Twitter:
    So, I have been reading through the internet and most sites agree that the eval() php function is very dangerous.

    So, my question is this:

    Just how dangerous is the eval() function? What makes it so dangerous?

    My second question is this:

    Is there a way to give a WHM account it's own private php installation? The reason I ask is that vBulletin requires the eval() command, so I cannot globally disable it however it looks as if it would be a good idea to have it disabled.

    What do you all think?
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The eval function, regardless of language, in itself is not dangerous. The danger comes from how it is used. Eval functions are often used to create an executable portion of the application that is not known when the application is written or executed.

    For example an eval could be used to load the appropriate module, or sub-system, based upon choices made during application usage. This use allows the application to consume less memory when running because it is only loading what is needed.

    What often happens, though, is the information passed to the eval function contains data that was supplied by, or able to be modified by, the user. Applications should never trust user data until it is passed through proper sanitization methods. If the user supplied data is inadequately sanitized prior to being used by the eval function, then it is possible for a malicious user to do unintended things.
     
  3. Liam W

    Liam W Active Member

    Joined:
    Jul 8, 2012
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Barrow-in-Furness, Cumbria, United Kingdom
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for that, bit easier to understand now :)
     
  4. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
Loading...
Similar Threads - dangerous eval() enable
  1. calvinphanctt
    Replies:
    10
    Views:
    710

Share This Page