8 comments

[ 3.2 ms ] story [ 27.9 ms ] thread
So what? What is the point of this? Is this again one of these "php developers are 'special' people"-posts?
I'm guessing he's just showing us the dork (search phrase) to find these vulns and outline how stupid... errr special people can be
Some things are utterly weird. A jpg file with php code is not idiocy, it's either security learning or plain hackery. Reminds me of my beloved wordpress days.
Also, one could argue that if you lock down servers properly, something like this could be used for instruction passing between servers/datacenters/etc... its not a good argument, but its a way of doing things.
I hope it will make people once again check their code.
Yet more abuse of $_POST in PHP. The language should taint user supplied data by default so this wouldn't even run without throwing an exception, at the very least.

Why does eval() exist in so many programming languages, and when is using it not the worst possible option?

It's not the worst possible option when you want to wrap a command you yourself wrote in some extra stuff. For example, in a test script, you might pass the command to a function that

(1) Prints some info about the test that's about to execute

(2) Evals the command

(3) Checks/reports the result

Given the choice I'd rather use lambda, but not all languages make that very convenient/readable. In such languages, a carefully used eval might be preferable to ad-hoc interpretation.

Fair enough. Although even then I would consider using a function or a class or lambda first, I suppose as long as you completely control the code being evaled it's not fundamentally different than any other string or code on the server. It would still fill me with a gnawing sense of dread though.