Support » Plugin: Google Forms » Warning about eval

  • I don’t know a lot about this plugin as I’m the server administrator/programmer, but I had to help my co-worker/web developer with it. I block eval on our client servers (a lot of shared hosts do) because of the security risk. On line 774 and 776 of wpgform-core.php, this plugin uses eval where there is no need to whatsoever. Unless the plugin author knows of a case I don’t see? Even still, as the creator of PHP stated:

    “If eval() is the answer, you’re almost certainly asking the wrong question.”

    Line: 774
    Change
    $x = eval(‘return sprintf(“%s%s%s”, $a, $op1, $b);’) ;
    To
    $x = sprintf(“%s%s%s”, $a, $op1, $b);

    Line: 776
    Change
    $x = eval(‘return sprintf(“%s%s%s%s%s”, $a, $op1, $b, $op2, $c);’) ;
    To
    $x = sprintf(“%s%s%s%s%s”, $a, $op1, $b, $op2, $c);

Viewing 1 replies (of 1 total)
  • Plugin Author Mike Walsh

    (@mpwalsh8)

    If the eval is removed then the CAPTCHA solution won’t ever be evaluated correctly. THe value of $x is the result of the CAPTCHA equation after it is evaluated. If $a = 2 and $b = 3 then $x should be 5 but if you take the eval out, $x will be the string “2 + 3” which won’t satisfy the CAPTCHA. Maybe there is a different way to do it but simply removing the eval will render the CAPTCHA broken.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this review.