On Tue, Feb 15, 2011 at 05:02:51PM -0500, Brian Waters wrote: > On Mon, Feb 14, 2011 at 11:49 PM, Paul M Foster <pa...@quillandmouse.com> > wrote: > > Advice: don't use eval() this way. It's slow and dangerous. > > Could you elaborate, or provide a link?
A year or two on this list. The comments in the php.net article on eval(). Experience with other languages which have similar constructs. See also Appendix B on Functions in *Essential PHP Security*, a thin but important book to have. The eval() function is the first one the author cautions against, and explains why. I wouldn't use eval() unless I constructed the input for it myself and was fairly sure I could trust what I constructed. But that's just me. > > > ...read in the file and pass it to you on the stack, which is > > really an abuse of the stack if you can avoid it. > > Interesting. I'm used to statically-typed languages. Normally I never > would have passed a large structure like that on the stack. But then > again, in those languages, large structures are usually passed by > reference, by default. In C, the only way to pass a string or array by > value is to wrap it in a struct, and in Java, objects are passed by > reference (if I recall correctly). C strings are peculiar animals, as K & R point out. By default, function parameters in PHP are passed by value. You can pass them by reference, but it's the exception rather than the rule. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
