An open API service indexing awesome lists of open source software.

https://github.com/sjinks/php-disable-eval

Disable eval() and create_function() in PHP
https://github.com/sjinks/php-disable-eval

eval php php-extension security

Last synced: 11 months ago
JSON representation

Disable eval() and create_function() in PHP

Awesome Lists containing this project

README

          

# php-disable-eval

[![Build and Test](https://github.com/sjinks/php-disable-eval/actions/workflows/test.yml/badge.svg)](https://github.com/sjinks/php-disable-eval/actions/workflows/test.yml)
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=sjinks_php-disable-eval&metric=alert_status)](https://sonarcloud.io/dashboard?id=sjinks_php-disable-eval)

A PHP extension to disable `eval()` and `create_function()`.

## Installation

```bash
phpize
./configure
make
sudo make install
```

Then add

```
extension=disableeval.so
```

to your `php.ini`.

## Configuration Options (php.ini)

* `disableeval.enabled` (boolean, default `On`): whether to enable the extension.
* `disableeval.intercept_compile_string` (boolean, default `On`): whether to use the `zend_compile_string` hook to detect the usage of `eval()`.
* `disableeval.aggressive` (boolean, default `Off`): whether to react to all evaluated code (even the one generated by extensions or SAPIs). Works together with `disableeval.intercept_compile_string`.
* `disableeval.mode` (integer, default 1): what to do on a policy violation:
* 1 (`DISABLEEVAL_MODE_THROW`): throw an `ErrorException` exception;
* 2 (`DISABLEEVAL_MODE_WARN`): display a warning;
* 3 (`DISABLEEVAL_MODE_SCREAM`): display a warning that cannot be suppressed with the `@` operator;
* 4 (`DISABLEEVAL_MODE_BAILOUT`): emit a fatal error and abort the script.

For security reasons, all options are [`PHP_INI_SYSTEM`](https://www.php.net/manual/en/configuration.changes.modes.php): that is, they can only be set in `php.ini` or `httpd.conf`.