0

This is not my full code. I am just posting the relevant parts. In my current application the user does not have access to manipulate the variables so it is safe but in future I may write something where they can so while I am thinking about it I wanted to ask if there is anyway to hack this code.

define('SMART_TAG_FOLDER','includes/smartTag/');
function loadExternalFunction($functionName,$fields) {
    //get file function should reside in
    $fileName=$functionName;
    $fileEnd=strpos($functionName,'_');
    if ($fileEnd!==false) {
        $fileName=substr($fileName,0,$fileEnd);
    }
    $fileName.='.php';

    //try to load file function should be in
    if (file_exists(SMART_TAG_FOLDER . $fileName)) {
        require_once SMART_TAG_FOLDER . $fileName;
    }

    //if desired function exist then execute
    $functionName='smartTag_'.$functionName;

    if (function_exists($functionName)) {

        //run function
        $evalRun='$value=' . $functionName . '($fields);';
        eval($evalRun);
        return $value;
    }
    return false;
}

my thoughts is the use of file_exists, and function_exists along with adding information to the user defined variable $function it should be safe.

If anyone knows a way to do this without eval I would love to know as I am not a fan of using eval.

Matthew Cornelisse
  • 993
  • 8
  • 15

1 Answers1

3

You shouldn't use eval for that.

Instead simply call you function like that

$functionName($fields);

You can also use one of this functions if they fits your needs better: call_user_func() or call_user_func_array()

Elon Than
  • 9,603
  • 4
  • 27
  • 37