1

How to know that eval() is disabled or enabled in the web server.What is the php code to know this?Whether there is any php code to enable it , if it is disabled on the server?

Improve this question
2
  • 1
    eval("echo 'Hello World!';"); There you go. Commented Apr 21, 2011 at 11:29
  • The typical safe_mode restrictions affect exec and co. But eval is not usually blocked. And anyway you could just work around it by using include(..file_put_contents("tmp", ...)) - so there really is no point for hosters to disable it. Commented Apr 21, 2011 at 11:34

3 Answers 3

Reset to default
5

There's nothing built into PHP which lets you disable eval (unlike other functions which you can disable).

However, you can install a security path for PHP called Suhosin, which lets you disable eval, and also adds other security features to PHP.

http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'm inclined to agree with you as eval is a language construct. If this is the only way to disable eval, it could be checked for with ini_get.
5

You should be able to determine if eval() exists with:

http://php.net/manual/en/function.function-exists.php

if (function_exists('eval')) {
    echo "eval() exists, it does it does!";
}

EDIT

Actually, eval() is a language construct so it can't be tested using function_exists(). However, this should work:

<?php

$isevalfunctionavailable = false;

$evalcheck = "\$isevalfunctionavailable = true;";

eval($evalcheck);

if ($isevalfunctionavailable === true) {
    echo "\$isevalfunctionavailable is true.\n";
    echo var_dump($isevalfunctionavailable);
}

?>

http://codepad.org/6xg2tO1K

Improve this answer

3 Comments

This will always fail, because eval is a language construct. It's like testing for function_exists("foreach")
I'm not sure. It might just generate a fatal error rather if you test with Eval(). You cannot catch those. What you could potentially do is create_function("", "eval('test');") without invoking it. This would generate a non-fatal error I believe.
Hmm, that's a great point. Too bad you can't test for eval() with function_exists().
4

Okay, as said, eval is unlikely to be disabled. But just in case, there are three workarounds:

$eval = create_function("", "$code");
$eval();

Or even just:

assert_options(ASSERT_ACTIVE, 1);   
assert_options(ASSERT_QUIET_EVAL, 1);
assert("$code");

And the filesystem-workarounds:

file_put_contents($tmp=tempnam("/tmp", "EVAL"), "$code");
include($tmp);

All work equivalent to a straight eval.

Improve this answer

2 Comments

Last one work for me but I had to replace "$code" with "<?php $code ?>"
The first two are very creative. Those have been taken down with PHP 8. create_function as well as ASSERT_QUIET_EVAL.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.