5

I know that eval is the function in PHP to execute PHP code from an input. Now I want to make a W3Schools like editor. What can I do to protect eval code that I get from POST variable.

$code = eval($_POST["phpusercode"]);
echo $code;

What I want to do is when a user will make a function like this

I want to give user the ability to write his own PHP code on my site without making my website vulnerable to some sort of hacking.

Improve this question
2
  • 1
    to display -- no. to execute -- yes Commented Jul 2, 2014 at 9:04
  • You can ask the people of writecodeonline.com/php how they did it perhaps, this discussion would lead way too far considering all the involved security risks. Commented Jul 2, 2014 at 9:07

1 Answer 1

Reset to default
4

eval evaluates code, so, as @sectus says in comments, execute the code

For example:

eval ("echo 'Hello user'"); //This will execute echo 'Hello user'

So, in your case i think you don't want to execute your user code, so please carify your question and update it.

IMPORTANT:

  • Use of eval is highly discouraged
  • NEVER EVER use eval with params by POST/GET without sanitize them

Useful links:

When eval is evil

Avoid SQL injection

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Just for quick reminder; POST and GET are not only user controlled variables. You should check out COOKIE and all other http header parameters.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.