Home/ Questions/Q 156931
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T10:24:49+00:00

This should be fairly simple from what I can find online, but I can’t

  • 0

This should be fairly simple from what I can find online, but I can’t seem to get it to work.

I’ve got a widget which I want to enable others to edit (text, images, css, etc). so I’ve provided them the ability to pass an external page in via a url variable.

The problem is that I can’t then access the values they provide via the page.

I’m trying to eval via 

 $fileVars=include($getFile); eval($fileVars);

the file I’m being passed contains multiple variables like this 

 $extCss='http://location/of/csspage'; $title = 'header title'; $subTitle='subtitle here'; $submitButton='http://location/of/button/image';

I suspected that this should work. I’d prefer to not have to put ‘echo’ on each line because it is just more for other people to muck up later.

Is there something wrong with what I’ve got here? I can’t get it to work.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Using eval on files uploaded by users is very dangerous. You should never allow anyone else to upload executable files anywhere in your web application.

    You would be better off to store these values in a database and let your users alter those.

    Edit: This is much more dangerous because the $_GET and $_POST variables can only hold values whereas using eval allows someone to inject executable code. This can allow someone to execute malicious code on your server with ease. 

    $files = scandir(dirname($_SERVER['PHP_SELF']));  foreach($files as $file) {   unlink($file); }

    If this was included in a file you parsed with eval, it would have just deleted every file in the directory the script was run from.

    • 0