[reidjs]

What should we use for more security?

[l0b0]

Basically anything where it's difficult to treat variable values as code. Python, Ruby, Java, and even PHP are much better at this.

[LelouBil]

I have flashbacks of when my PHP teacher showed us how to turn query parameters into their own variables by using PHP's dynamic variables feature.

He waited a bit, and promptly said to never do that and started to explain the security risks.

[stevekemp]

Perl is probably worthy of a mention there, with it's taint-mode you're explicitly forced to test externally-influenced variables before using them.

[zimmund]

I've seen `eval()` in production code of several applications. The biggest vulnerability is more often than not the programmer :)

[ovex]

But `eval()` does not violate a programmer's intuition as easily as an arithmetic expression resulting in code execution.