====== Eval Functions ======
These functions can allow an arbitrary string or file to be executed as PHP code (with the privileges of PHP).


===== Includes =====

  *[[phpfn>require]]
  *[[phpfn>require_once]]
  *[[phpfn>include]]
  *[[phpfn>include_once]]

Including arbitrary files into a PHP program can allow code to be injected into that program.  Especially including files that are writable in a shared or compromised environment, or where [[http://www.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen|allow_url_fopen]] is enabled.

See "Includes Bad Practice" below.

===== General =====

  *[[phpfn>eval]] - Eval executes an arbitrary string as PHP code.
  *[[phpfn>create_function]]
  *[[phpfn>preg_replace]] - Can execute arbitrary PHP code when the /e [[http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php|modifier]] is present in the search pattern.
  *[[phpfn>php_check_syntax]] (PHP5) - php//check//syntax currently also includes the file being checked (i.e. executes it as well) - see manual comments.

==== DOM XML (PHP5) ====

The [[http://www.php.net/dom|DOM extension]] supports the use of [[http://www.php.net/streams|streams]] in a number of ways. In particular the use of XIncludes where the path begins ''%%php://%%'' or xsl:include tags in XSLT. This behaviour can be turned off (how?) - watch out when working with XML / XSLT from untrusted sources. See [[http://slides.bitflux.ch/phpconf2003/slide_11.html|XML in PHP5]]

//This function list is probably incomplete.//

===== Exploits: =====

[[security:attack:code_injection]]


==== Includes Bad Practice ====

A common beginners mistake with the include / require functions looks like this;

<code php>
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=home">Home</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=links">Links</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=contact">Contact</a>';

include 'pages/'.$_GET['page'];
</code>

Bearing in mind [[security:attack:parameter_manipulation]]s, it would be possible for the GET variable 'page' to contain anything, including directory paths which PHP will resolve e.g.

<file>
$_GET['page'] == '../uploads/badscript'
</file>

so included file becomes ''pages/../uploads/badscript.php'';

A better solution for this example would be;


<code php>
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=home">Home</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=links">Links</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=contact">Contact</a>';

$pages = array('home','links','contact');

// If the page is known
if ( in_array($_GET['page'], $pages) ) {
    include 'pages/'.$_GET['page'].'.php';

// Otherwise use default...
} else {
    include 'pages/home.php';
}
</code>

===== Additional Information =====

  * See [[security:functions:catalog]] and [[security:web_application_security]]