TP-Docs
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

Welcome to TinyPortal. Please login or sign up.

December 04, 2024, 06:05:04 PM

Login with username, password and session length
Members
Stats
  • Total Posts: 195,443
  • Total Topics: 21,252
  • Online today: 158
  • Online ever: 6,457 (November 30, 2024, 02:40:09 PM)
Users Online
  • Users: 1
  • Guests: 135
  • Total: 136
  • @rjen

Disable the PHP eval function for templates

Started by davo88, March 15, 2024, 08:02:41 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

davo88

Just wondering if someone could explain in simple terms, in what circumstances would you have the setting 'Disable the PHP eval function for templates' turned on, and in what circumstances would you turn it off.
I don't write PHP code myself so I don't really understand it. But I do use PHP written by others. From what I read in the PHP manual (see below), it seems to be enabled by default as protection against malicious code (?). If articles are only being posted by admins, is there some flexibility or advantage to be gained by turning it off?
Any explanations appreciated.
 
The php manual says:
QuoteEvaluates the given code as PHP.

The code being evaluated inherits the variable scope of the line on which the eval() call occurs. Any variables available at that line will be available for reading and modification in the evaluated code. However, all functions and classes defined will be defined in the global namespace. In other words, the compiler considers the evaluated code as if it were a separate included file.

Caution
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

tino

eval in PHP is as you've mentioned avoided if possible. In some situations you have to use it as there isn't an alternative, block codes for instance use it and there isn't an alternative. However all the other functionality built in to the templates logic can run without it so you can disable it for those instances.