I have built a course that stores, retrieves, and eval()s code from the SQLite database. Before I recieve leaped for my bad coding practices, let us just treat this like a theoretical and pretend that I've got a valid reason for doing this. Other factors aside, and presuming that user input isn't a factor, it is possible to security risk natural in storing PHP code inside a DB and running it with eval()?

Clarifications:

  • I'm not eval()ing user-posted content.
  • The SQLite DB file is incorporated in the same directory, and it has exactly the same security put on it, because the relaxation of my files.
  • Please no comments on performance, caching, etc. I am conscious of everything.

eval() by itself isn't inscure. It is simply bad practice, unclear and reveals for a lot of bugs and security related issues.

Even when user-posted data is not being saved inside your database, you are still supplying a method to have code saved within the database be performed even when you did not put that code there. If a person were to get into your database server, they might potentially do worse things than drop your database by modifying the code it stores, like removing any files the PHP script has write use of.

Yes. Basically can inject something to your database i quickly might carry it out in your server with the eval.

Are you currently attempting to make use of the database like a hashtable of functions? So that you can call a bit of code based on some key evaluation. The safety problem I see here, may be the database might have other API uncovered somewhere to populate it. Without you knowing/clearly doing the work, some key,value pair might be introduced within the database. Should you used a hashtable of function rather, someone desire to make a commit inside your code repository to alter a function. Now you have to safeguard the DB just like your code's repository.

You are letting the database run any PHP code it wants as whatever user the PHP is running as. Obviously this really is insecure.