On Tue, Feb 15, 2011 at 05:02:51PM -0500, Brian Waters wrote:

> On Mon, Feb 14, 2011 at 11:49 PM, Paul M Foster <pa...@quillandmouse.com>
> wrote:
> > Advice: don't use eval() this way. It's slow and dangerous.
> Could you elaborate, or provide a link?

A year or two on this list. The comments in the php.net article on
eval(). Experience with other languages which have similar constructs.
See also Appendix B on Functions in *Essential PHP Security*, a thin but
important book to have. The eval() function is the first one the author
cautions against, and explains why.

I wouldn't use eval() unless I constructed the input for it myself and
was fairly sure I could trust what I constructed. But that's just me.

> > ...read in the file and pass it to you on the stack, which is
> > really an abuse of the stack if you can avoid it.
> Interesting. I'm used to statically-typed languages. Normally I never
> would have passed a large structure like that on the stack. But then
> again, in those languages, large structures are usually passed by
> reference, by default. In C, the only way to pass a string or array by
> value is to wrap it in a struct, and in Java, objects are passed by
> reference (if I recall correctly).

C strings are peculiar animals, as K & R point out. By default, function
parameters in PHP are passed by value. You can pass them by reference,
but it's the exception rather than the rule.


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to