Home/ Questions/Q 8470345
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T16:29:26+00:00

I’m using the code below to automatically load and declare classes so that I

  • 0

I’m using the code below to automatically load and declare classes so that I only need to put class files in a folder named classes. The part in spl_autoload_regsister() may seem to be unnecessary for you but it is needed to work as a WordPress plugin without errors.

It uses eval() and I’ve seen so many web pages talking about using eval() is bad and can create a security hole. So how could this be dangerous? 

$strDirPath = dirname(__FILE__) . '\\classes\\';
$arrClassFiles = array_map(create_function( '$a', 'return basename($a, ".php");' ), glob($strDirPath . '*.php'));
spl_autoload_register(
    create_function('$class_name', '
        global $arrClassFiles, $strDirPath;
        if (in_array($class_name, $arrClassFiles)) 
            include($strDirPath . $class_name . ".php");' )
);

foreach ($arrClassFiles as $strClassName) {
    $strClassName_alpha = $strClassName . "_Alpha";
    eval("class $strClassName_alpha extends $strClassName {};");    
}

print_r(get_declared_classes());

Maybe, somebody can put a file name of php code in the folder? But I don’t see it can compromise the system.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If they can name a class file something like randomclass {}; echo $db_password;//.php, then you could have a code execution attack.

    I’m pretty sure that’s not a valid file name, but there are people far wilier than me at crafting valid malicious inputs.

    It’s just usually not an attack surface you need to open yourself up to, given that it’s practically always possible to avoid with better code structure.

    • 0