Can php variable hold harmfull code safely? [closed]

Answer 1

if will not be printed or eval'd then it's ok to store it in variable as any string variable.

Answer 2

hey are nearly identical. You might want to unset $content in the first example as the second example only creates the local variable as the first parameter of removebadstuff.

Keep in mind that strings in PHP are binary-safe.

Required reading: The ultimate clean/secure function

Answer 3

It depends on how you treat this variable.

In your example, echo $content; will not be harmfull, it will just show the harmfull code, without execute it.

The harmfull examples:

eval($content);

exec($content); // any System program execution function

//preg_relace with e modifier, this is deperecated

// and so on .....

Answer 4

Unless the harmfull code is targeting a vulnerability in file_get_contents() or similar function of PHP itself, then just storing it in a variable should be safe. Outputing it might be unsafe, and running eval on it is most certainly a bad idea.