PHP

PHP

Made by DeepSource

Audit required: Use of insecure eval() function found PHP-A1000

Security
Critical
a03 cwe-20 cwe-79 cwe-1004 sans top 25 owasp top 10 cwe-95

eval() function allows execution of an arbitrary PHP code. Executing code dynamically is security-sensitive and should be avoided.

In past it has led to the following vulnerabilities:

Thus usage of each occurrence of eval() should be audited properly before pushing to production.

Please also ensure that you're not dynamically executing code from untrusted sources (i.e., user input). If you need to do it, run the code in a sandboxed environment, or, you can use libraries like symfony/expression-language, madorin/matex, etc. to compile and evaluate expressions.

References