You can't really do much to make sure the execution of eval is safe, it's more than you have to trust the string that you're about to eval().
So, as long as you and your production team were the only ones who put the code into the strings or tables, and tested the code before hand, then 90% there. I'd suggest also reading all the user-contributed notes at http://php.net/eval too. Justin on 02/08/02 5:26 AM, David Pratt ([EMAIL PROTECTED]) wrote: > I am trying to get code that I have saved as a string in a database to > evaluate as code within a larger script with a loop. There are obvious > security concerns with allowing users to input code into the field if it is > not preprocessed before it is evaluated. The eval function appears to be the > ticket with PHP 4 since it will return the results as well. Has anyone got > an example of an appropriate preprocessing strategy and/or example of eval() > being used this way? Thanks to those that replied to my original post. > > -- > > Dave Pratt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
