[Resolved] bad or "dangerous" php code

Home Forums Support bad or "dangerous" php code

  • This topic has 9 replies, 3 voices, and was last updated 10 months ago by Tom.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #1063674
    Matt

    Hi,
    I am getting messages about gp premium files from a malware scanner that point to bad / dangerous / suspicious codes. Is this something other people have or something that needs to be addressed from GP? The files are: /wp-content/plugins/gp-premium/elements/class-hooks.php and /wp-content/plugins/gp-premium/hooks/functions/hooks.php

    Thanks!

    #1063819
    David
    Staff
    Customer Support

    Hi there,

    all of GP’s code is checked for quality and security.
    This i believe is the first time anyone has raised this issue.

    Does the Malware scanner provide any more detail regarding the issue?

    #1064649
    Matt

    Thx. It highlights these lines in
    /wp-content/plugins/gp-premium/hooks/functions/hooks.php :
    line 22

    eval( “?>$value<?php ” );

    and in
    /wp-content/plugins/gp-premium/elements/class-hooks.php

    line 180

    eval( ‘?>’ . $content . ‘<?php ‘ );

    #1064670
    Matt

    PS infos from the plugin “security by cleantalk” (malware scanner)

    #1064977
    Tom
    Lead Developer
    Lead Developer

    Hi there,

    The eval() function can be used for bad stuff, which is why security plugins flag it automatically.

    In this case, we’re using it as it’s supposed to be used – nothing bad or dangerous about it.

    Let me know if you have any other questions 🙂

    #1065086
    Matt

    Thx for your reply
    I am no expert but maybe there is an issue that needs to be cleared up.

    The scanner says this code should never be used. Can’t it be converted? Here is an example when I researched eval(): https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval . Similar statement: “Warning: Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). See Never use eval()!, below.”

    There is another reference below about alternatives.
    https://www.exakat.io/land-where-php-uses-eval/

    #1065087
    Matt

    correction “it is not recommended”

    #1065207
    Tom
    Lead Developer
    Lead Developer

    We’ve actually had this double-checked by WordPress security experts. The eval() function can only contain content which is saved by you, the administrator. It’s not possible for a non-administrator to run code through it.

    If someone bad is logged in as an administrator, they can do anything they want through the theme/plugin editor (so that eval() function is the least of your worries).

    #1065287
    Matt

    ok, thx

    #1065627
    Tom
    Lead Developer
    Lead Developer
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.