1.2.1469. eval() Without Try

eval() emits a ParseError exception with PHP 7 and later. Catching this exception is the recommended way to handle errors when using the eval() function.

Note that it will catch situations where eval() is provided with code that can’t be used, but it will not catch security problems. Avoid using eval() with incoming data.

<?php

$code = 'This is no PHP code.';

//PHP 5 style
eval($code);
// Ends up with a Fatal error, at execution time

//PHP 7 style
try {
    eval($code);
} catch (ParseError $e) {
    cleanUpAfterEval();
}

?>

1.2.1469.1. Suggestions

  • Always add a try/catch block around eval() call

1.2.1469.2. Specs

Short name

Structures/EvalWithoutTry

Rulesets

All, Analyze, CE, CI-checks, Changed Behavior, Security

Exakat since

0.8.4

PHP Version

With PHP 7.0 and more recent

Severity

Critical

Time To Fix

Quick (30 mins)

Changed Behavior

PHP 7.0 - More

Precision

Very high

Features

eval

Examples

FuelCMS, ExpressionEngine

Related rule

Could Use Try

Available in

Entreprise Edition, Community Edition, Exakat Cloud