PHP eval() used on user input
Description
Manual confirmation is required for this alert.
This application uses the PHP
eval() function to execute user-supplied input as code. The eval() function interprets a string as PHP code and executes it directly. When user input flows into an eval() statement without proper validation or sanitization, attackers can inject arbitrary PHP code that will be executed on the server with the same privileges as the web application.
Remediation
The use of eval() on user input should be avoided entirely. Follow these remediation steps:
1. Eliminate eval() usage (Preferred Solution):
Refactor the code to avoid eval() completely. In most cases, there are safer alternatives:
// UNSAFE: Using eval() on user input
$operation = $_GET['op'];
eval("$result = $operation;");
// SAFE: Use a whitelist approach with predefined operations
$allowed_operations = [
'add' => function($a, $b) { return $a + $b; },
'subtract' => function($a, $b) { return $a - $b; }
];
$operation = $_GET['op'];
if (isset($allowed_operations[$operation])) {
$result = $allowed_operations[$operation]($value1, $value2);
}2. If eval() cannot be avoided:
Implement strict input validation using a whitelist approach:
// Validate input against a strict whitelist pattern
$allowed_pattern = '/^[a-zA-Z0-9_]+$/';
if (preg_match($allowed_pattern, $user_input)) {
// Only proceed if input matches safe pattern
eval($safe_code);
} else {
// Reject invalid input
throw new Exception('Invalid input');
}3. Additional security measures:
- Implement the principle of least privilege for the web application user
- Use PHP's
disable_functionsdirective to restrict dangerous functions - Enable comprehensive logging to detect exploitation attempts
- Conduct a thorough code review to identify all instances of
eval()usage