
Eval($_POST[cmd]) - brevis
https://github.com/search?l=php&q=eval%28%24_POST&ref=searchresults&type=Code&utf8=%E2%9C%93
======
krapp
Yet more abuse of $_POST in PHP. The language should taint user supplied data
by default so this wouldn't even run without throwing an exception, at the
very least.

Why does eval() exist in so many programming languages, and when is using it
not the worst possible option?

~~~
notacoward
It's not the worst possible option when you want to wrap a command _you
yourself wrote_ in some extra stuff. For example, in a test script, you might
pass the command to a function that

(1) Prints some info about the test that's about to execute

(2) Evals the command

(3) Checks/reports the result

Given the choice I'd rather use lambda, but not all languages make that very
convenient/readable. In such languages, a carefully used eval might be
preferable to ad-hoc interpretation.

~~~
krapp
Fair enough. Although even then I would consider using a function or a class
or lambda first, I suppose as long as you completely control the code being
evaled it's not fundamentally different than any other string or code on the
server. It would still fill me with a gnawing sense of dread though.

------
DrinkWater
So what? What is the point of this? Is this again one of these "php developers
are 'special' people"-posts?

~~~
timboslice
I'm guessing he's just showing us the dork (search phrase) to find these vulns
and outline how stupid... errr special people can be

~~~
agumonkey
Some things are utterly weird. A jpg file with php code is not idiocy, it's
either security learning or plain hackery. Reminds me of my beloved wordpress
days.

