WordPress.org

Ready to get started?Download WordPress

Forums

Remove PHP eval() (2 posts)

  1. obsidiandh
    Member
    Posted 5 years ago #

    Hi,

    I recently installed wordpress 2.7.1 and when going to wp-admin/edit.php came across an error because eval is disabled by suhosin on the server which I am using.

    I did a search through the WP source code and found 2 occurrences of eval in the code (plus a few in the pcizip library).

    I couldn't spot anything that said why the eval was used so I've created two patches:

    wp-includes/classes.php

    219,233c219
    <
    < 					preg_match_all('/\$(.*?)\[(.*?)\]/',$query,$subs);
    < 					$find=array();
    < 					$replace=array();
    <
    < 					foreach($subs[0] as $key=>$value)
    < 					{
    < 					$tmp=$subs[1][$key];
    < 					$tmp=$$tmp;
    < 					$tmp=$tmp[$subs[2][$key]];
    < 					$find[]=$subs[0][$key];
    < 					$replace[]=$tmp;
    < 					}
    <
    < 					$query=str_replace($find,$replace,$query);
    ---
    > 					eval("@\$query = \"" . addslashes($query) . "\";");

    wp-includes/rewrite.php

    299,313c299
    <
    < 					preg_match_all('/\$(.*?)\[(.*?)\]/',$query,$subs);
    < 					$find=array();
    < 					$replace=array();
    <
    < 					foreach($subs[0] as $key=>$value)
    < 					{
    < 					$tmp=$subs[1][$key];
    < 					$tmp=$$tmp;
    < 					$tmp=$tmp[$subs[2][$key]];
    < 					$find[]=$subs[0][$key];
    < 					$replace[]=$tmp;
    < 					}
    <
    < 					$query=str_replace($find,$replace,$query);
    ---
    > 			eval("\$query = \"" . addslashes($query) . "\";");

    These work for me but whether they will work for everyone I don't know and I expect there is a much tidier way to fix it.

    ~Rowan

  2. MichaelH
    Member
    Posted 5 years ago #

    Might submit your patches to Trac for inclusion in the core if that's what you are looking to do...see Reporting Bugs.

Topic Closed

This topic has been closed to new replies.

About this Topic