View Single Post
Old 12-20-2006, 11:04 PM
  B00MER's Avatar 
B00MER B00MER is offline

Join Date: Sep 2002
Location: Keller, TX (
Posts: 3,165

Default Re: Displaying smarty variables inside smarty variables

There's a reason eval is one letter away from evIl

Most interpreted and semi-compiled programming languages provide a feature in which it is possible to have a variable that contains program code statements, and have that variable executed by the interpreter. Examples are VBScript's Eval function and Execute and ExecuteGlobal statements, and PHP's and Perl's eval function and /e regular expression modifiers. People have even used Java's Reflection mechanism to make Java interpreters that may execute dynamic Java statements inside Java programs, e.g. BeanShell [64].

Needless to say, if user input, whether directly or indirectly, is incorporated in strings handed to the evaluation mechanism, an attacker may "extend" the web application to do whatever he wants it to do by passing code statements as part of his input. We should never include user input in strings passed to the eval family of functions.

Just to note, eval can be an evil function if it is overused, be sure and use such sparingly. It can become a security exploit and even cause excessive cpu cycles on your server end.
Cart-Lab - 100+ Social Bookmarks for X-Cart.
Reply With Quote