how to disable eval php function

[Nerigal]

Hi,

haven't found anything useful information regarding how to disable eval() under php.ini because it is a language construct.
but is there anyway to disable it or overwrite it without suphp ?

thanks

 

[scsi]

You disable it the same way you disable any other php function.

 

[Nerigal]

no it can NOT be disable simply by adding it in the php.ini function like disable_function = eval

regarding this http://ca.php.net/manual/en/function.eval.php

Caution

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

 

[scsi]

This is about the only way I can find to do it:

http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval

You would have to setup your php with suhosin

 

[Nerigal]

damn...had hope to be able to fake eval function with override_function so eval return null in php.ini or so

 

[zEitEr]

That might sound a little bit crazy, but what if you try to remove it from PHP source and re-compile PHP... not sure if it is possible or not, and how good is the idea.

 

[Nerigal]

not familiar enough with C language to risk that.