Prove this PHP Eval of Function Dangerous

advertisements

I am looking at the following block of code and cannot find a working example of how eval would be dangerous in this specific case.

I realize eval is dangerous, never to be used, there are always better ways to do it, etc but for my own curiosity want to define how this code block is dangerous.

In the case below $z's value is controlled by the user but is single quoted (and -as far as I know- therefore cannot explode another variable). Applying a single quote inside of $z to break the string is not possible.

function bar($x) {
    echo $x;
}

$z = 'USER CONTROLLED INPUT';
eval("bar(\$z);");


Well if you forgot to escape $z then you someone could always do something like:

$z = '); unlink('/files/importantfile.data');

In your case, there is nothing wrong with it other than the potential to forgot escaping!