> On Nov 26, 2019, at 11:27 AM, Ian Littman <ians...@gmail.com> wrote: > > You're right that turning off eval() isn't a silver bullet, and if you can > get external code running on someone's box there are a lot worse things you > can do. > > On Tue, Nov 26, 2019 at 10:11 AM Benjamin Morel <benjamin.mo...@gmail.com> > wrote: > >> Hi Ian, >> >> IMO, eval() is secure, as long as: >> >> - you’re not using it, or >> - you’re using it properly >> >> I’d say that as soon as your server has been compromised, eval() is the >> last of your worries, as pretty much anything becomes possible, including >> writing PHP code to a file and including/executing it. So I feel like >> disabling eval() will just make « hackers » have a good laugh
There might be a good argument for turning it eval() and create_function() off by default for command-line use? #jmtcw -Mike
