eval() error check

We all know how dangerous eval() is in terms of security, but still it is the necessary evil sometimes.

I’ve been developing a script last week that required eval() execution. I did pretty granular input validation with regular expressions and known troubleish test cases. Still, some expressions passed to the eval() function were prone to parse errors.

Reading a bit I tried to use the exceptions handling mechanism in PHP 5 (try – catch blocks) to provide a solution, or using a error handler with the set_error_handler function. They work for exceptions and some basic errors, but most of the errors (including the parse erorr) pass.

I don’t mind the system being unable to call a valid function, but I want to protect the frontend. So the best call I found is using this trick.

Create a function with this content:

 

return @eval('return true;' . $code);

Where $code is the code you need to normally call in eval().

This statement returns true if your eval is valid – or false if it is going to break. Without breaking the frontend and the PHP execution.

So calling this before running your eval and testing for true will prevent the ugly errors on the page load.

7 thoughts on “eval() error check”

  1. Bainternet says: May 25, 2014 at 10:19 am

    Just one problem with this solution, When you try to validatecheck a code with a function declared in it you cant run the code again since you will get a “Fatal error: Cannot redeclare ….”

  2. Mario Peshev says: May 25, 2014 at 1:00 pm

    Yeah that’s a valid concern, thanks for explicitly mentioning this one 🙂

  3. Viktor Szépe says: March 28, 2015 at 1:39 am
  4. Jason Daly says: December 31, 2016 at 5:34 am

    Good example. As a note you can wrap the syntax check code in a function which will thus nest any functions declared within the syntax check code — avoiding the ‘re-declare’ error:

    return @eval(‘return true;function evalTest(){‘ . $code . ‘}’);

  5. Jason Daly says: December 31, 2016 at 6:04 am

    You can also do the following (tested using PHP 7.1):

    function checkSyntax($code)
    {
    try
    { eval(‘return true;function testEval(){‘ . $code . ‘}’);
    }
    catch(ParseError $e)
    {
    return false;

    }

    return true;

    }

  6. Kevin D says: July 17, 2017 at 8:09 am

    YES JASON!

  7. Andrius says: February 23, 2018 at 1:57 am

    only thing that worked for me :
    try {
    eval(“return “.$string.”;”);
    } catch (ParseError $e) {
    $EVALerror=TRUE;
    //echo ‘Caught exception: ‘.$e->getMessage().”n”;
    }
    if($EVALerror){
    // you got PAIN
    }

Your thoughts?