I was reading : When (if ever) is eval NOT evil? and a few others guides on the net when to use eval and when not. None of this posts could really answer my question about security concerns in regard of dynamic class compositing at run-time.
Background : As we can't use PHP 5.4 traits to properly mixin in classes into each other, we needed another solution to get dynamic mixins. So we found this particular class on on Github : https://github.com/wellspringworldwide/PHP-ClassMixer/blob/master/ClassMixer.php which does exactly what we want.
I am not really an expert to evaluate such code in regard of potential security risks but maybe somebody on Stackoverflow knows what the risks are of such methods.
As far I understood, the base for security concerns with this method of using eval for class composition are only given when
None of these circumstances are given in our application but I am not sure there are other conditions we need to think about when using eval that way !?
thank you.
Eval basically is bad because it's eval() :D
No seriously:
You should NEVER compose some source and throw it into eval. As soon as your script composing the source has any dependent data sources like a DB backend, the file system reading (especially text-)files or (even worse) some form data there's always the chance of invasive and damaging code being injected. (e.g. ;exec('rm -rf /');)
Using the Decorator Pattern might help you out. Please read this and that as a primer to understanding the Decorator Pattern.