Appendix B. Functions

As I write this, http://php.net/quickref.php lists 3,917 functions, which account for many language constructs that behave like functions. Rather than distinguish between the two, I have chosen to treat them all as functions.

With such a large list, I can’t possibly begin to recommend the most appropriate and secure use of each. Instead, I have chosen the ones that I think require the most attention. My choices are based upon the frequency with which each is used, the amount of risk (or protection) associated with their use, and my own experience.

For each function listed, I provide a recommendation regarding its use. While making this recommendation, I consider security to be paramount. Adjust this approach as necessary to best fit your own needs.

Tip

When a function has the same risks as another, a reference is made to the other function rather than offering a redundant explanation.

eval()

The eval() function is used for evaluating a string as PHP. For example:

    <?php

    $name = 'Chris';

    $string = 'echo "Hello, $name";';
    eval($string);

    ?>

This executes $string as if it were PHP, so this is equivalent to the following:

    <?php

    $name = 'Chris';

    echo "Hello, $name";

    ?>

While useful, eval() is very dangerous when tainted data is used. For example, if $name is tainted, an attacker can execute arbitrary PHP code:

    <?php

    $name = $_GET['name'];
    eval($name);

    ?>

I recommend that you avoid using eval() when possible and when you cannot ensure that you never use tainted data in the ...

Get Essential PHP Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.