Re: PHP : eval() ?

[Slow2Show <sl2sho () yahoo com>]

In-Reply-To: <20020718203227.15908.qmail () mail securityfocus com>

frog-

AFAIK if magic quotes is on the only way you could get through 
would be with the code below....if it is off 
then you could pass straight through, but from your
output I would guess that your server has magic quotes on

<?
//this would be _very_ bad code for a coder to use
eval(stripslashes($evalu));

printf("<br>echo=%s",$evalu);
?>

a valid test string would be:
script.php?evalu=echo%20"start%20";system("ls");echo%20"end";

so in your case magic quotes are enabled and you are dealing
with a straight eval()...then I belive wont be able passthru

please correct me if I'm wrong,

-Slow2Show-
University of Florida