Edit report at https://bugs.php.net/bug.php?id=62397&edit=1
ID: 62397 Comment by: spamik at yum dot pl Reported by: spamik at yum dot pl Summary: disable_functions = eval does not work Status: Re-Opened Type: Feature/Change Request Package: *General Issues PHP Version: 5.3.14 Block user comment: N Private report: N New Comment: good point about assert and preg_replace /e - there also should be option to disable it then (especialy this /e in preg_replace). Writers of malicious code so far did not had to use it because eval is enabled in every php version... As for eval etc. documentation states that it sould be avoided by developers - and it is actualy. However it used to mask infected, malicious code by those that hacked php software. eval is commonly used to evaluate base64_encoded string and that makes very hard to see what code is doing and to detect it automaticly (by something like antivirus software). Change on magic_quotes_gpc in php 5.4 is much greater change then turning off eval by default would be. Since most legitimate software don't use it (since documentation says its bad)would affect only very few. This also would not increase security. However it would make code infections so much easier to detect and analize its nature. Previous Comments: ------------------------------------------------------------------------ [2012-06-24 11:25:51] ni...@php.net Irregardless of the FR, I'd like to point out that eval() is a useful and legitimate language construct. It *definitely* will not be disabled by default. I won't argue with the fact that it is commonly misused by ignorant developers, but this does not mean that eval() itself is in any way fundamentally "evil". Also, I completely do not understand your arguments that people are migrating to other languages, because PHP has an eval() construct. All dynamic languages have an eval() function, including JS, Python and Ruby. Furthermore you should realize that disabling eval() will not likely improve the security of your application. There are just to many other ways to execute code. E.g. the assert() function can be used to evaluate arbitrary code. Or the preg_replace /e modifier. But in any case, I don't really see why eval() is a language construct. In my eyes it could just as well be a function. This would make it disableable and would also provide other advantages, like allowing its use as a callback function. ------------------------------------------------------------------------ [2012-06-24 10:05:00] larue...@php.net okey, change to FR makes sense to me. ------------------------------------------------------------------------ [2012-06-24 04:08:24] spamik at yum dot pl I think that that not only should be done but also made default php behavior, to stop widespread madness of php code infection. Eval should be by default disabled in php like 5.5 ... ------------------------------------------------------------------------ [2012-06-24 04:02:31] spamik at yum dot pl feature request then ------------------------------------------------------------------------ [2012-06-24 03:59:29] krzf83 at gmail dot com treat it as feature request if it helps you sleep at night. However this issue is critical in face of current mailicous code boom. Eval (by base64_encode etc) does not allow for any scanning and detection. This funcionality of php had begun its downfall really. People are migrating to other languages just because infections there are rare and code cannot be just like that obfucated! ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62397 -- Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1