1.2.1469. eval() Without Try¶
Note that it will catch situations where eval()
is provided with code that can’t be used, but it will not catch security problems. Avoid using eval()
with incoming data.
<?php
$code = 'This is no PHP code.';
//PHP 5 style
eval($code);
// Ends up with a Fatal error, at execution time
//PHP 7 style
try {
eval($code);
} catch (ParseError $e) {
cleanUpAfterEval();
}
?>
1.2.1469.1. Suggestions¶
Always add a try/catch block around eval() call
1.2.1469.2. Specs¶
Short name |
Structures/EvalWithoutTry |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
With PHP 7.0 and more recent |
Severity |
Critical |
Time To Fix |
Quick (30 mins) |
Changed Behavior |
PHP 7.0 - More |
Precision |
Very high |
Features |
eval |
Examples |
|
Related rule |
|
Available in |