I was reading : When (if ever) is eval NOT evil? and a few others guides on the net when to use eval and when not. None of this posts could really answer my question about security concerns in regard of dynamic class compositing at run-time.
Background : As we can't use PHP 5.4 traits to properly mixin in classes into each other, we needed another solution to get dynamic mixins. So we found this particular class on on Github : https://github.com/wellspringworldwide/PHP-ClassMixer/blob/master/ClassMixer.php which does exactly what we want.
I am not really an expert to evaluate such code in regard of potential security risks but maybe somebody on Stackoverflow knows what the risks are of such methods.
As far I understood, the base for security concerns with this method of using eval for class composition are only given when
- The class to be mixed into another class is accessible and modifiable from outside, for instance file or RPC access
- A user can gain access to the running context, ie, the surrounding code loads plugin code
- A user gains access to the applications working memory and alters data there.
None of these circumstances are given in our application but I am not sure there are other conditions we need to think about when using eval that way !?
thank you.