Y
Hacker News
new
|
ask
|
show
|
jobs
by
l0b0
945 days ago
Basically anything where it's
difficult
to treat variable values as code. Python, Ruby, Java, and even PHP are much better at this.
3 comments
LelouBil
944 days ago
I have flashbacks of when my PHP teacher showed us how to turn query parameters into their own variables by using PHP's dynamic variables feature.
He waited a bit, and promptly said to never do that and started to explain the security risks.
link
stevekemp
944 days ago
Perl is probably worthy of a mention there, with it's taint-mode you're explicitly forced to test externally-influenced variables before using them.
link
zimmund
943 days ago
I've seen `eval()` in production code of several applications. The biggest vulnerability is more often than not the programmer :)
link
ovex
943 days ago
But `eval()` does not violate a programmer's intuition as easily as an arithmetic expression resulting in code execution.
link
He waited a bit, and promptly said to never do that and started to explain the security risks.