—

Why it Matters

PHP functions like eval(), assert(), or create_function() allow execution of arbitrary code at runtime. If any part of the input is controlled by an attacker, they can run their own PHP commands directly on the server. This usually leads to a complete compromise.

These functions are also hard to maintain and debug, because they hide logic in strings. Magento and PHP provide safer alternatives to handle dynamic behavior without running raw code. Removing unsafe dynamic code execution makes the application both more secure and more stable.

Verification Steps

# Search custom code for dangerous functions
grep -R "eval(" app/code
grep -R "assert(" app/code
grep -R "create_function(" app/code

Remediation / Fix Guidance

1. Remove any use of eval(), assert(), and create_function().
2. Replace dynamic code execution with safer alternatives such as callbacks, closures, or Magento’s dependency injection system.
3. If dynamic behavior is needed, use whitelisted function calls or configuration-driven logic instead of code strings.
4. Review all third-party modules to ensure they also avoid these unsafe functions.

Examples

// Unsafe use of eval
$code = $_GET['code'];
eval($code);

// Safe alternative using callbacks
$actions = [
    'export' => function() { return doExport(); },
    'import' => function() { return doImport(); }
];
if (isset($actions[$action])) {
    $actions[$action]();
}

References

• OWASP Top 10 — A03: Injection
• OWASP — Code Injection