28 October 2006
Eval in a Sandbox
You might call me an outspoken critic of eval.
However, it can sometimes be a necessary evil. Even when eval is the only way to solve a problem, it’s still a security concern. Therefore, I’d like to present a well-to-do way to call eval. It can still let perpetrators call system("rm -rf /") but at does prevent the eval call from screwing with your script’s variable scope.
$fnEvalCode = create_function ('$code, $variable1, $variable2', 'return eval($code);'); /* pass in every variable you need in the function's scope. */