Appendix B. Functions
As I write this, http://php.net/quickref.php lists 3,917 functions, which account for many language constructs that behave like functions. Rather than distinguish between the two, I have chosen to treat them all as functions.
With such a large list, I can’t possibly begin to recommend the most appropriate and secure use of each. Instead, I have chosen the ones that I think require the most attention. My choices are based upon the frequency with which each is used, the amount of risk (or protection) associated with their use, and my own experience.
For each function listed, I provide a recommendation regarding its use. While making this recommendation, I consider security to be paramount. Adjust this approach as necessary to best fit your own needs.
When a function has the same risks as another, a reference is made to the other function rather than offering a redundant explanation.
eval() function is used for evaluating a string as PHP. For example:
<?php $name = 'Chris'; $string = 'echo "Hello, $name";'; eval($string); ?>
$string as if it were PHP, so this is equivalent to the following:
<?php $name = 'Chris'; echo "Hello, $name"; ?>
eval() is very dangerous when tainted data is used. For example, if
$name is tainted, an attacker can execute arbitrary PHP code:
<?php $name = $_GET['name']; eval($name); ?>
I recommend that you avoid using
eval() when possible and when you cannot ensure that you never use tainted data in the ...