#1678 Eliminate remaining occurences of eval() in phpMyAdmin to make it work on machines where eval() is disabled

[Thoronador]

A few of the PHP scripts in phpMyAdmin use the eval() language construct of PHP. However, some hosts disable that feature for security reasons, e.g. with the help of Suhosin. Hence, phpMyAdmin will not work on hosts with such configurations.

Could you please rewrite the affected scripts (there are only a few as of release 4.4.8) so that they do not use eval() at all? That would allow folks to use phpMyAdmin on machines that disabled eval().

Relevant scripts might be the following:

~/git_repos/phpmyadmin$ grep -rn --fixed-strings "eval(" --include \*.php ./
./libraries/Advisor.class.php:346:            eval('$value = ' . $expr . ';');
./libraries/php-gettext/gettext.php:361:    eval("$string");

(There might be more occurences of eval() in earlier releases.)

[Madhura Jayaratne]

php-gettext is a third party library used by phpMyAdmin.

[Marc Delisle]

But php-gettext's last update was on 2010-12-24, maybe we should do something about it.

[Madhura Jayaratne]

Indeed, I'll have a look for possible alternatives.
For the record, this is why we do not use native Gettext in PHP. https://wiki.phpmyadmin.net/pma/Gettext_for_developers#Why_not_to_use_native_Gettext_in_PHP

[Marc Delisle]

Yes, I was wondering whether the two reasons given are still valid. Especially the one about PHP crashing might no longer be true.

[Marc Delisle]

Ticket moved from /p/phpmyadmin/bugs/4935/

[Madhura Jayaratne]

For the advisor, the alternative would be to move the logic of the rules to PHP. However, I do not see a security threat in using eval here as no user input it involved.