Fluid Attacks Database

Description

Detects dangerous usage of PHP's eval() function with untrusted input, which can allow attackers to execute arbitrary PHP code. When user-controlled data reaches the eval() function, it creates a critical remote code execution vulnerability that could compromise the entire application.

Weakness:

143 - Inappropriate coding practices - Eval function

Category: Functionality Abuse

Detection Strategy

• Identifies calls to PHP's eval() function in the code

• Analyzes the first argument passed to eval() to check if it contains or is derived from user input

• Reports a vulnerability if eval() receives data that can be controlled by external users

• Example dangerous pattern: eval($_GET['code']) or eval($userProvidedString)

Vulnerable code example

<?php
function processUserExpression() {
    $userInput = $_GET['expr'];
    // Dangerous: Directly evaluating user input with eval()
    eval($userInput);
    return $result;
}
?>

✅ Secure code example

<?php
function processUserExpression() {
    $userInput = $_GET['expr'] ?? '';
    
    // Validate input is a numeric string using strict pattern matching
    if (!is_string($userInput) || !preg_match('/^\s*-?\d+(\.\d+)?\s*$/', $userInput)) {
        return null;
    }...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.