Unsafe to use eval() ?

chrisdee

I have a mysql/php based website where I use highlight_string($content) to view regular content and php code and eval("?>".$content) ot run php scripts.

I wonder if it's dangerous to use this function, and what should I do to secure my site. Below is the code :

connect.php

<?php
# Variables
$username               = "username";
$password               = "password";
$host                   = "localhost";
$database               = "databasename";

#connects to the MySQL server
mysql_connect($host,$username,$password) or die(mysql_error());
mysql_select_db($database) or die(mysql_error());
?>

index.php

<?php
include('connect.php');
$table=$_GET['table'];

$order=$_GET['order'];
if(!$order) {
$order="title";
}

echo "<table border=1><tr><td class=m>";
include("navigation.php");
echo "</td>";

echo "<td valign=top width=800 class=n height=100%>";
if(empty($_GET['table'])) {
include("home.php");
}
elseif(ereg('phpmysql|scripts_php',$table)) {
include("code.php");
}
else {
include("pages.php");
}
echo "</td></tr></table>";
?>

navigation.php

<?php
$sql = "SHOW TABLES FROM $database";
$result = mysql_query($sql);

echo "<font face=cursive>".$_SERVER['SERVER_NAME']."</font>";
echo "<hr class=hr>";
echo "<a class=cd href=http://www.url.com>Home</a><br>";
while ($tables = mysql_fetch_row($result)) {
if(ereg('home|code|css|familietre|stats|telefonliste|text',$tables[0])) {
}
elseif($_GET['table']==$tables[0]) {
echo "<a class=cd href=index.php?table=$tables[0]><span class=code><b>".ucfirst($tables[0])."</b></span></a><br>";
}
elseif($tables[0]=='siteinfo') {
echo "<a class=cd href=index.php?id=1&table=siteinfo>".ucfirst($tables[0])."</a><br>";
}
else {
echo "<a class=cd href=index.php?table=$tables[0]>".ucfirst($tables[0])."</a><br>";
}
}
mysql_free_result($result);
?>

home.php

<?
$sql = "SELECT content FROM home WHERE id='1'";
$query = mysql_query($sql) or die(mysql_error());
$result = mysql_fetch_array($query);

$content = $result["content"];

echo "<table width=100%><tr><td class=m>$content</td></tr></table>";
?>

code.php

<?
# Connecting to mysql table
$result = mysql_query("SELECT * FROM $table order by $order asc");
$loop = mysql_num_rows($result);

for ($i=0; $i<$loop; $i++) {
$myrow = mysql_fetch_array($result);
$title = $myrow["title"];
$content = $myrow["content"];
$id = $myrow["id"];
if($_GET['id']==$id) {
  print "<a class=cd href='index.php?id=$id&table=$table'><span class=code><b>$title</b></span></a> | ";
} else {
  print "<a class=cd href='index.php?id=$id&table=$table'>$title</a> | ";
}
}
$id = $_GET['id'];
$sql = "SELECT * FROM $table WHERE id='$id'";
$query = mysql_query($sql) or die(mysql_error());
$result = mysql_fetch_array($query);

$title = $result["title"];
$date = $result["date"];
$content = $result["content"];

echo "</p><table width=100%>";
echo "<tr><td class=nav1>$title</td><td class=nav1 align=right>Created/Updated: $date</td></tr>";
echo "<tr><td class=m colspan=2>";
highlight_string($content);
echo "</td></tr>";
echo "</table>";
echo "<hr class=hr>";
eval("?>".$content);
?>

pages.php

<?
# Connecting to mysql table
$result = mysql_query("SELECT * FROM $table order by $order asc");
$loop = mysql_num_rows($result);

for ($i=0; $i<$loop; $i++) {
$myrow = mysql_fetch_array($result);
$title = $myrow["title"];
$content = $myrow["content"];
$id = $myrow["id"];
if($_GET['id']==$id) {
  print "<a class=cd href='index.php?id=$id&table=$table'><span class=code><b>$title</b></span></a> | ";
} else {
  print "<a class=cd href='index.php?id=$id&table=$table'>$title</a> | ";
}
}
$id = $_GET['id'];
$sql = "SELECT * FROM $table WHERE id='$id'";
$query = mysql_query($sql) or die(mysql_error());
$result = mysql_fetch_array($query);

$title = $result["title"];
$date = $result["date"];
$content = $result["content"];

echo "</p><table width=100%>";
echo "<tr><td class=nav1>$title</td><td class=nav1 align=right>Created/Updated: $date</td></tr>";
echo "<tr><td class=m colspan=2>$content</td></tr>";
echo "</table>";
?>

laserlight

chrisdee wrote:
I wonder if it's dangerous to use this function

Probably. It may be safe if only trusted people ever get to input code to be evaluated, but why take the risk?

chrisdee wrote:
and what should I do to secure my site.

Don't use eval(), for one thing.

chrisdee

So if I remove the eval() function I'll be fine ?

chrisdee

What if I exclude to run scripts with forms and user input, would this make using eval() safer ?

laserlight

chrisdee wrote:
So if I remove the eval() function I'll be fine ?

I am unwilling to make such a pronouncement without careful analysis of your entire script, as well as PHP and server configurations.

chrisdee wrote:
What if I exclude to run scripts with forms and user input, would this make using eval() safer ?

Yes, but it would also make eval() redundant since you might as well just change the script itself. Why do you need to use eval() in the first place?