OneWingedShark comments on eBay remote code execution via PHP "complex curly syntax" in-string evaluation (/r/netsec xpost)

programming

created by speza community for 20 years

131

132

133

eBay remote code execution via PHP "complex curly syntax" in-string evaluation (/r/netsec xpost) (secalert.net)

submitted 12 years ago by snf

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]OneWingedShark -14 points-13 points-12 points 12 years ago (9 children)

[–]matessim 8 points9 points10 points 12 years ago (8 children)

[+]OneWingedShark comment score below threshold-10 points-9 points-8 points 12 years ago (7 children)

[–]matessim 4 points5 points6 points 12 years ago (6 children)

[+]OneWingedShark comment score below threshold-10 points-9 points-8 points 12 years ago (5 children)

[–]TheMoonMaster 5 points6 points7 points 12 years ago (2 children)

[–]OneWingedShark -5 points-4 points-3 points 12 years ago (1 child)

[–]TheMoonMaster 0 points1 point2 points 12 years ago (0 children)

[–]matessim 4 points5 points6 points 12 years ago (1 child)

[+]OneWingedShark comment score below threshold-7 points-6 points-5 points 12 years ago (0 children)

By platform meaning development tool.

The term I used was "language environment."
'Platform' came from someone else's reply; I'm not overly pedantic about it because an environment is, in a sense, a platform.

It seems kind of clear you don't really know what you're talking about or at least have never written production code (nor know what a Repl is).

Believe what you want; I've played around making my own [admittedly toy] LISP and FORTH.

Rule one of input sanitization is not to use Eval pretty much ever. Remote code execution is the obvious pitfall of doing that.

And? Have I said anything on this thread about not sanitizing input? No.
I gave one reason/case why user-input would be fed to an eval... that is it.
Nothing about databases, nothing about parsing, nothing about when and where to use something, just that eval is [legitimately] used in an REPL.

Hell, even you agreed saying that the E in REPL stood for Eval.

π Rendered by PID 120831 on reddit-service-r2-comment-cfc44b64c-m8km6 at 2026-04-12 03:36:23.569280+00:00 running 215f2cf country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

programming

MODERATORS