Site logo

[Resolved] bad or "dangerous" php code

Home Forums Support [Resolved] bad or "dangerous" php code

Popular Articles

Missing style.css

Updating errors

Installing GP Premium

Installing GeneratePress

How to add CSS

How to add PHP

Home Forums Support bad or "dangerous" php code

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • November 15, 2019 at 1:30 am #1063674
    Matt

    Hi,
    I am getting messages about gp premium files from a malware scanner that point to bad / dangerous / suspicious codes. Is this something other people have or something that needs to be addressed from GP? The files are: /wp-content/plugins/gp-premium/elements/class-hooks.php and /wp-content/plugins/gp-premium/hooks/functions/hooks.php

    Thanks!

    November 15, 2019 at 4:01 am #1063819
    David
    Staff
    Customer Support

    Hi there,

    all of GP’s code is checked for quality and security.
    This i believe is the first time anyone has raised this issue.

    Does the Malware scanner provide any more detail regarding the issue?

    November 16, 2019 at 2:19 am #1064649
    Matt

    Thx. It highlights these lines in
    /wp-content/plugins/gp-premium/hooks/functions/hooks.php :
    line 22

    eval( “?>$value<?php ” );

    and in
    /wp-content/plugins/gp-premium/elements/class-hooks.php

    line 180

    eval( ‘?>’ . $content . ‘<?php ‘ );

    November 16, 2019 at 3:31 am #1064670
    Matt

    PS infos from the plugin “security by cleantalk” (malware scanner)

    November 16, 2019 at 9:13 am #1064977
    Tom
    Lead Developer
    Lead Developer

    Hi there,

    The eval() function can be used for bad stuff, which is why security plugins flag it automatically.

    In this case, we’re using it as it’s supposed to be used – nothing bad or dangerous about it.

    Let me know if you have any other questions 🙂

    November 16, 2019 at 1:16 pm #1065086
    Matt

    Thx for your reply
    I am no expert but maybe there is an issue that needs to be cleared up.

    The scanner says this code should never be used. Can’t it be converted? Here is an example when I researched eval(): https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval . Similar statement: “Warning: Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). See Never use eval()!, below.”

    There is another reference below about alternatives.
    https://www.exakat.io/land-where-php-uses-eval/

    November 16, 2019 at 1:16 pm #1065087
    Matt

    correction “it is not recommended”

    November 16, 2019 at 6:26 pm #1065207
    Tom
    Lead Developer
    Lead Developer

    We’ve actually had this double-checked by WordPress security experts. The eval() function can only contain content which is saved by you, the administrator. It’s not possible for a non-administrator to run code through it.

    If someone bad is logged in as an administrator, they can do anything they want through the theme/plugin editor (so that eval() function is the least of your worries).

    November 17, 2019 at 12:10 am #1065287
    Matt

    ok, thx

    November 17, 2019 at 8:35 am #1065627
    Tom
    Lead Developer
    Lead Developer

    No problem 🙂

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.

Start building better websites today.

Get Started
GeneratePress

GeneratePress

Solutions

Support

© 2026 EDGE22 Studios Ltd. GeneratePress® is a registered trademark.