https://sourceforge.net/p/phpmyadmin/feature-requests/1678/2015-07-02T10:08:16.240000ZRecent changes to 1678: Eliminate remaining occurences of eval() in phpMyAdmin to make it work on machines where eval() is disabled2015-07-02T10:08:16.240000Z2015-07-02T10:08:16.240000ZMadhura Jayaratnehttps://sourceforge.net/u/madhuracj/https://sourceforge.netff7bc77cc787bbf1a17e302b9c991291757ab55b

<div class="markdown_content"><p>For the advisor, the alternative would be to move the logic of the rules to PHP. However, I do not see a security threat in using eval here as no user input it involved.</p></div>

2015-06-03T16:02:55.133000Z2015-06-03T16:02:55.133000ZMarc Delislehttps://sourceforge.net/u/lem9/https://sourceforge.net4774a8fc029b058389b27dfe6b95ef93ab4cc31a

<div class="markdown_content"><p>Ticket moved from /p/phpmyadmin/bugs/4935/</p></div>

2015-06-02T12:43:02.686000Z2015-06-02T12:43:02.686000ZMarc Delislehttps://sourceforge.net/u/lem9/https://sourceforge.netafdb154e97a3b21601d837159ed96dd1ee53377f

<div class="markdown_content"><p>Yes, I was wondering whether the two reasons given are still valid. Especially the one about PHP crashing might no longer be true.</p></div>

2015-06-02T12:25:56.081000Z2015-06-02T12:25:56.081000ZMadhura Jayaratnehttps://sourceforge.net/u/madhuracj/https://sourceforge.net21f1b6aa6d6c859ceab575e0498b52316b466c68

<div class="markdown_content"><p>Indeed, I'll have a look for possible alternatives. <br /> For the record, this is why we do not use native Gettext in PHP. <a href="https://wiki.phpmyadmin.net/pma/Gettext_for_developers#Why_not_to_use_native_Gettext_in_PHP" rel="nofollow">https://wiki.phpmyadmin.net/pma/Gettext_for_developers#Why_not_to_use_native_Gettext_in_PHP</a></p></div>

2015-06-02T12:20:40.027000Z2015-06-02T12:20:40.027000ZMadhura Jayaratnehttps://sourceforge.net/u/madhuracj/https://sourceforge.net2c868a646048d91951a5c60b7958a8982e6b412a

<div class="markdown_content"><ul> <li><strong>assigned_to</strong>: Madhura Jayaratne --&gt; nobody </li> </ul></div>

2015-06-02T12:18:42.119000Z2015-06-02T12:18:42.119000ZMarc Delislehttps://sourceforge.net/u/lem9/https://sourceforge.net242f32b3396970d3a7d2c025d2902ac93a205ca5

<div class="markdown_content"><p>But php-gettext's last update was on 2010-12-24, maybe we should do something about it.</p></div>

2015-06-02T12:13:02.347000Z2015-06-02T12:13:02.347000ZMadhura Jayaratnehttps://sourceforge.net/u/madhuracj/https://sourceforge.net4ef16a1d59b0b03a76e70754d1b4f7e66f9cfeaf

<div class="markdown_content"><p>php-gettext is a third party library used by phpMyAdmin. </p></div>

2015-06-02T10:16:42.209000Z2015-06-02T10:16:42.209000ZMadhura Jayaratnehttps://sourceforge.net/u/madhuracj/https://sourceforge.net59217705341c57a6cf89a6b56406d741f42be878

<div class="markdown_content"><ul> <li><strong>assigned_to</strong>: Madhura Jayaratne</li> </ul></div>

2015-06-01T13:54:16.593000Z2015-06-01T13:54:16.593000ZThoronadorhttps://sourceforge.net/u/thoronador/https://sourceforge.net53c427406f778f2d68b93153d338c70e5b908368

<div class="markdown_content"><p>A few of the PHP scripts in phpMyAdmin use the eval() language construct of PHP. However, some hosts disable that feature for security reasons, e.g. <a class="" href="http://suhosin.org/stories/configuration.html#suhosin-executor-disable-eval" title="suhosin.executor.disable_eval" rel="nofollow">with the help of Suhosin</a>. Hence, phpMyAdmin will not work on hosts with such configurations.</p> <p>Could you please rewrite the affected scripts (there are only a few as of release 4.4.8) so that they do not use eval() at all? That would allow folks to use phpMyAdmin on machines that disabled eval().</p> <p>Relevant scripts might be the following:</p> <div class="codehilite"><pre><span class="o">~/</span><span class="nt">git_repos</span><span class="o">/</span><span class="nt">phpmyadmin</span><span class="o">$</span> <span class="nt">grep</span> <span class="nt">-rn</span> <span class="nt">--fixed-strings</span> <span class="s2">"eval("</span> <span class="nt">--include</span> <span class="err">\</span><span class="o">*</span><span class="nc">.php</span> <span class="o">./</span> <span class="o">./</span><span class="nt">libraries</span><span class="o">/</span><span class="nt">Advisor</span><span class="nc">.class.php</span><span class="nd">:346</span><span class="o">:</span> <span class="nt">eval</span><span class="o">(</span><span class="s1">'$value = '</span> <span class="o">.</span> <span class="o">$</span><span class="nt">expr</span> <span class="o">.</span> <span class="s1">';'</span><span class="o">);</span> <span class="o">./</span><span class="nt">libraries</span><span class="o">/</span><span class="nt">php-gettext</span><span class="o">/</span><span class="nt">gettext</span><span class="nc">.php</span><span class="nd">:361</span><span class="o">:</span> <span class="nt">eval</span><span class="o">(</span><span class="s2">"$string"</span><span class="o">);</span> </pre></div> <p>(There might be more occurences of eval() in earlier releases.)</p></div>

2015-06-01T13:54:16.593000Z2015-06-01T13:54:16.593000ZThoronadorhttps://sourceforge.net/u/thoronador/https://sourceforge.net1da165fcb43c3d14077015b02222f5193cebe0a1

<div class="markdown_content"><p>Ticket 4935 has been modified: Eliminate remaining occurences of eval() in phpMyAdmin to make it work on machines where eval() is disabled<br /> Edited By: Madhura Jayaratne (madhuracj)<br /> Owner updated: None =&gt; u'madhuracj'</p></div>