https://github.com/sjinks/php-disable-eval

Disable eval() and create_function() in PHP
https://github.com/sjinks/php-disable-eval

eval php php-extension security

Last synced: 11 months ago
JSON representation

Disable eval() and create_function() in PHP

• Host: GitHub
• URL: https://github.com/sjinks/php-disable-eval
• Owner: sjinks
• Created: 2021-09-25T20:05:49.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2025-01-20T13:38:48.000Z (about 1 year ago)
• Last Synced: 2025-03-24T02:22:21.608Z (11 months ago)
• Topics: eval, php, php-extension, security
• Language: PHP
• Homepage:
• Size: 177 KB
• Stars: 4
• Watchers: 2
• Forks: 1
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# php-disable-eval

[![Build and Test](https://github.com/sjinks/php-disable-eval/actions/workflows/test.yml/badge.svg)](https://github.com/sjinks/php-disable-eval/actions/workflows/test.yml)

[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=sjinks_php-disable-eval&metric=alert_status)](https://sonarcloud.io/dashboard?id=sjinks_php-disable-eval)

A PHP extension to disable `eval()` and `create_function()`.

## Installation

```bash

phpize

./configure

make

sudo make install

```

Then add

```

extension=disableeval.so

```

to your `php.ini`.

## Configuration Options (php.ini)

  * `disableeval.enabled` (boolean, default `On`): whether to enable the extension.

  * `disableeval.intercept_compile_string` (boolean, default `On`): whether to use the `zend_compile_string` hook to detect the usage of `eval()`.

  * `disableeval.aggressive` (boolean, default `Off`): whether to react to all evaluated code (even the one generated by extensions or SAPIs). Works together with `disableeval.intercept_compile_string`.

  * `disableeval.mode` (integer, default 1): what to do on a policy violation:

    * 1 (`DISABLEEVAL_MODE_THROW`): throw an `ErrorException` exception;

    * 2 (`DISABLEEVAL_MODE_WARN`): display a warning;

    * 3 (`DISABLEEVAL_MODE_SCREAM`): display a warning that cannot be suppressed with the `@` operator;

    * 4 (`DISABLEEVAL_MODE_BAILOUT`): emit a fatal error and abort the script.

For security reasons, all options are [`PHP_INI_SYSTEM`](https://www.php.net/manual/en/configuration.changes.modes.php): that is, they can only be set in `php.ini` or `httpd.conf`.