When is eval evil in php?

eval is evil when there is only the slightest possibility that userinput is included in the evaluated string.
When you do eval without content that came from a user, you should be safe.

Nevertheless you should think at least twice before using eval, it looks deceivingly simple, but with error handling (see VBAssassins comment), debuggability etc. in mind, it is not so simple anymore.

So as a rule of thumb:
Forget about it. When eval is the answer you’re propably asking the wrong question! 😉

Leave a Comment