Yes when I checked out the manual page for eval() it did occur to me that it did open up significant potential for abuse. As it happens I am passing user supplied values into these variables, but I validate all my input anyway to prevent people from modifying my queries etc.. I have observed that PHP doesn't seem to be very naturally defensive but I guess no Server Side scripting language is, except maybe JSP.
Cheers, James -- -------------------------------------------------------- www.jholt.co.uk : affordable business website solutions www.htpshareware.com : software for the disorganized -------------------------------------------------------- "You don't needs eyes to see, you need vision" - Maxi Jazz "Mike Ford" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On 30 January 2004 12:35, jimbo wrote: > > > Great - thanks v. much Mike. I don't know why there was no mention of > > eval() in the section of the manual on Variable Parsing. > > Possibly because they didn't want to get into the security issues involved. > It sounds like you're ok there, as you only intend putting very controlled > values into the database. > > The problem comes if you're potentially eval()-ing user-supplied values that > have been insufficiently validated. Just suppose, for example, that it was > possible for a user to somehow get a value such as 'system("rm > /etc/passwds")' inserted into the database in a field that you then > eval()... > > Cheers! > > Mike > > --------------------------------------------------------------------- > Mike Ford, Electronic Information Services Adviser, > Learning Support Services, Learning & Information Services, > JG125, James Graham Building, Leeds Metropolitan University, > Beckett Park, LEEDS, LS6 3QS, United Kingdom > Email: [EMAIL PROTECTED] > Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
