Is PHP's eval() function vulnerable to code injection when executing a string built from an array?
No, this is not vulnerable to PHP code injection.
The string passed to eval()
is simply not user-controlled. There is no path from the source $_GET["cmd1"]
to the sink eval()
:
- The argument to
eval()
is$cmd
. $cmd
is assembled from a fixed string and$params
.$params
is accumulated from a fixed string and$i
.$i
is an iteration variable that depends on the (fixed) length of the array$text
.
That said, passing a generated array through eval is certainly not good style and you're obviously not sanitizing output which makes the code vulnerable to XSS.