Do not use eval()

Avoid dynamic evaluation of code, such as eval(code).

If the user has control over evaluated code (because the code is concatenated with user data), this leads to 'script injection' vulnerabilities, which could end in well-known security attacks.

The eval() function in PHP takes a string as input and executes it as PHP code. This creates a significant security risk, as any unsanitized user input passed into eval() can lead to code injection.

For example, consider the following insecure PHP code:

If an attacker supplies the following input in the URL:

It would execute the phpinfo() function, potentially exposing sensitive server information. A more dangerous payload could allow an attacker to gain full control over the system.

Additionally, eval() makes debugging and maintaining the code more complex, as it introduces dynamically generated code that is harder to analyze statically.

Using eval() to parse JSON strings is unsafe and can lead to security vulnerabilities, such as code injection.

To eliminate the risks associated with eval(), consider the following safer alternatives:

Sanitize and Validate Input:

If user input is required, use strict validation and whitelisting techniques to ensure only expected values are accepted.

Use Safer String Parsing Techniques:

If eval() is being used for configuration handling, consider using json_decode() or parse_ini_file().

Example (safe JSON decoding):

Avoid Dynamic Code Execution:

If eval() is used for dynamic function calls, consider using call_user_func() or call_user_func_array().

Example (safe function execution):

By removing eval() from the codebase, PHP applications can significantly reduce the risk of code injection attacks and improve overall security.

This detector does not need any configuration.