Support » Requests and Feedback » Remove PHP eval()

  • Hi,

    I recently installed wordpress 2.7.1 and when going to wp-admin/edit.php came across an error because eval is disabled by suhosin on the server which I am using.

    I did a search through the WP source code and found 2 occurrences of eval in the code (plus a few in the pcizip library).

    I couldn’t spot anything that said why the eval was used so I’ve created two patches:

    wp-includes/classes.php

    219,233c219
    <
    < 					preg_match_all('/\$(.*?)\[(.*?)\]/',$query,$subs);
    < 					$find=array();
    < 					$replace=array();
    <
    < 					foreach($subs[0] as $key=>$value)
    < 					{
    < 					$tmp=$subs[1][$key];
    < 					$tmp=$$tmp;
    < 					$tmp=$tmp[$subs[2][$key]];
    < 					$find[]=$subs[0][$key];
    < 					$replace[]=$tmp;
    < 					}
    <
    < 					$query=str_replace($find,$replace,$query);
    ---
    > 					eval("@\$query = \"" . addslashes($query) . "\";");

    wp-includes/rewrite.php

    299,313c299
    <
    < 					preg_match_all('/\$(.*?)\[(.*?)\]/',$query,$subs);
    < 					$find=array();
    < 					$replace=array();
    <
    < 					foreach($subs[0] as $key=>$value)
    < 					{
    < 					$tmp=$subs[1][$key];
    < 					$tmp=$$tmp;
    < 					$tmp=$tmp[$subs[2][$key]];
    < 					$find[]=$subs[0][$key];
    < 					$replace[]=$tmp;
    < 					}
    <
    < 					$query=str_replace($find,$replace,$query);
    ---
    > 			eval("\$query = \"" . addslashes($query) . "\";");

    These work for me but whether they will work for everyone I don’t know and I expect there is a much tidier way to fix it.

    ~Rowan

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Remove PHP eval()’ is closed to new replies.