Executing code dynamically is security sensitive. It has led in the past to the following vulnerabilities:

Any code which is dynamically evaluated in your process will have the same permissions as the rest of your code. Thus it is very dangerous to do so with code coming from an untrusted source. Injected Code can either run on the server or in the client (exemple: XSS attack).

The eval function is a way to run arbitrary code at run-time.

According to the PHP documentation

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

This rule marks for review each occurence of dynamic code execution.

Ask Yourself Whether

You are at risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

Regarding the execution of unknown code, the best solution is to not run code provided by an untrusted source. If you really need to do it, run the code in a sandboxed environment. Use jails, firewalls and whatever means your operating system and programming language provide (example: Security Managers in java, iframes and same-origin policy for javascript in a web browser).

Do not try to create a blacklist of dangerous code. It is impossible to cover all attacks that way.

As for the use of reflection, it should be strictly controlled as it can lead to many vulnerabilities. Never let an untrusted source decide what code to run. If you have to do it anyway, create a list of allowed code and choose among this list.

Noncompliant Code Example

eval($code_to_be_dynamically_executed)

Exceptions

Calling reflection methods with a hard-coded type name, method name or field name will not raise an issue.

See