Code Injection Using Eval Method
What does this mean ?
What can happen ?
This attack is comprised of a script that fails to check user inputs in the page parameter. A remote user can give a carefully designed URL that allows arbitrary code to be sent to an eval() instruction, resulting in code execution.
- Make use of structured procedures. These systems can ensure the separation of data and command automatically.
- Validate the values of commands and their associated parameters.
$vars = "hacker"; $z = $_GET['arg1']; eval("\$vars = \$z;");