Appendix B. Functions
As I write this, http://php.net/quickref.php lists 3,917 functions, which account for many language constructs that behave like functions. Rather than distinguish between the two, I have chosen to treat them all as functions.
With such a large list, I can’t possibly begin to recommend the most appropriate and secure use of each. Instead, I have chosen the ones that I think require the most attention. My choices are based upon the frequency with which each is used, the amount of risk (or protection) associated with their use, and my own experience.
For each function listed, I provide a recommendation regarding its use. While making this recommendation, I consider security to be paramount. Adjust this approach as necessary to best fit your own needs.
Tip
When a function has the same risks as another, a reference is made to the other function rather than offering a redundant explanation.
eval()
The eval()
function is used for evaluating a string as PHP. For example:
<?php $name = 'Chris'; $string = 'echo "Hello, $name";'; eval($string); ?>
This executes $string
as if it were PHP, so this is equivalent to the following:
<?php $name = 'Chris'; echo "Hello, $name"; ?>
While useful, eval()
is very dangerous when tainted data is used. For example, if $name
is tainted, an attacker can execute arbitrary PHP code:
<?php $name = $_GET['name']; eval($name); ?>
I recommend that you avoid using eval()
when possible and when you cannot ensure that you never use tainted data in the ...
Get Essential PHP Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.