[Resolved] bad or "dangerous" php code

Home Forums Support [Resolved] bad or "dangerous" php code

Home Forums Support bad or "dangerous" php code

  • This topic has 9 replies, 3 voices, and was last updated 2 years ago by Tom.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
  • #1063674

    I am getting messages about gp premium files from a malware scanner that point to bad / dangerous / suspicious codes. Is this something other people have or something that needs to be addressed from GP? The files are: /wp-content/plugins/gp-premium/elements/class-hooks.php and /wp-content/plugins/gp-premium/hooks/functions/hooks.php


    Customer Support

    Hi there,

    all of GP’s code is checked for quality and security.
    This i believe is the first time anyone has raised this issue.

    Does the Malware scanner provide any more detail regarding the issue?


    Thx. It highlights these lines in
    /wp-content/plugins/gp-premium/hooks/functions/hooks.php :
    line 22

    eval( “?>$value<?php ” );

    and in

    line 180

    eval( ‘?>’ . $content . ‘<?php ‘ );


    PS infos from the plugin “security by cleantalk” (malware scanner)

    Lead Developer
    Lead Developer

    Hi there,

    The eval() function can be used for bad stuff, which is why security plugins flag it automatically.

    In this case, we’re using it as it’s supposed to be used – nothing bad or dangerous about it.

    Let me know if you have any other questions ๐Ÿ™‚


    Thx for your reply
    I am no expert but maybe there is an issue that needs to be cleared up.

    The scanner says this code should never be used. Can’t it be converted? Here is an example when I researched eval(): https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval . Similar statement: “Warning: Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). See Never use eval()!, below.”

    There is another reference below about alternatives.


    correction “it is not recommended”

    Lead Developer
    Lead Developer

    We’ve actually had this double-checked by WordPress security experts. The eval() function can only contain content which is saved by you, the administrator. It’s not possible for a non-administrator to run code through it.

    If someone bad is logged in as an administrator, they can do anything they want through the theme/plugin editor (so that eval() function is the least of your worries).


    ok, thx

    Lead Developer
    Lead Developer
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.