Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
The dangers of PHP eval()
Yup. "Scary, you better make use of include instead" — I read all the time everywhere. I want to hear good case scenarios and feel safe with it.
I use the eval() method as a good resource to build custom website modules written in PHP which are stored and retrieved back from a database. I ENSURED IS SAFE AND CAN ONLY BE ALTERED THROUGH PRIVILEGED USERS. THERE. I SAID IT. You could as well develop a malicious module and share it to be used on the same application, but this application is just for my use at the moment so I don't wanna worry more or I'll become bald.
I had to take out my fear and confront it in front of you guys. If i had to count every single time somebody mentions on Stack Overflow or the comments over PHP documentation about the dangers of using eval I'd quit already.
Tell me if I'm wrong: in a safe environment and trustworthy piece of code is it OK to execute eval('?>'.$pieceOfCode); ... Right?
The reason I store code on the database is because I create/edit modules on the web editor itself.
I use my own coded layers to authenticate a privileged user: A single way to grant access to admin functions through a unique authentication tunnel granting so privileged user to access the editor or send API requests, custom htaccess rules to protect all filesystem behind the domain root path, a custom URI controller + SSL. All this should do the trick to safely use the damn eval(), is that right?!
Unless malicious code is found on the code stored prior to its evaluation.
But FFS, in such scenario, why not better fuck up the framework filesystem instead? Is one password closer than the database.
I will need therapy after this. I swear.
If 'eval is evil' (as it appears in the suggested tags for this post) how can we ensure that third party code is ever trustworthy without even looking at it? This happens already with chrome extensions, or even phone apps a long time after reaching to millions of devices.11 -
Okay..
So, what do I have here?
A cross platform mobile app with NO unit tests.
😕
I have to write a big new feature from scratch. (Things can't go wrong, right?)
Started working on it, pointed out problems with the UI/UX designs. The design changed multiple times, still I thought I could finish it by the expected date. And, so I did.
The feature went through testing, and they found bugs. (Surprise...?)
It's already kinda scary to touch someone's code that has no unit tests and no comments. And I think, it's all the more difficult to not introduce bugs.
Also, had to work on the weekend to fix the bugs.
I had some good learnings here, but I'm not sure how I can prevent bugs without unit tests and proper feedback cycle. :/4 -
Code comment in legacy codebase that says "Mr.Foo Bar doesnt understand why this is required but removing it may result in spontaneous combustion"
-
update : we are at hr round baby!!!
part 1 : https://devrant.com/rants/5528056/...
part 2 (in comments) : https://devrant.com/rants/5550145/...
the tech market is crazy mann! it's one of the top indie fintech companies in our country and has a great valuation.
i totally felt that they i am crashing the interviews , and am seriously not trying to be humble. before the dsa round , i was trying to mug up how insertion sort works 🥲
--------
now my dilemma is should i switch if i get the offer. in a summary:
current company:
- small valuation but profitable (haven't picked funding for last 3 years , so poast valuation is some double digit million $, but can easily be a unicorn company)
- very major b2b player in my country. almost all unicorns (including this fintech company) and some major MNCs are their client and they have recently acquired a few other companies of us and eu too, making them- a decent global player
- meh work : i love being a cutting edge performer in android but here we make sdks that need to support even legacy banking apps. so tech stack is a lot of verbose java and daily routine includes making very minor changes to actual code and more towards adding tests , maintaining wrapper sdks in react/cordova/unity etc, checking client side code etc.
- awesome work life balance : since work is shit and i am fast enough, i am usually working only 2-4 hours a day. i joined gym, got into shape , and have already vsited 5 places in last 6 months, and i am a guy who didn't used to have time even on sundays. here, we get mote paid leaves than what i would usually need.
- learning opportunities: not exactly from the company codebase, but they provide unlimited access to various course learning platforms like linkedin learning, udemy and others, so i joined some web dev baches and i now know decent frontend too. plus those hybrid sdks also give a light context to new things
new company :
- positives : multi billion valuation, one of the top players in fintech , have been mostly profitable ( except a few quarters)
- positive : b2c so its (hopefully) going to put me back into racing shoes with kotlin, jetpack and latest libraries.
- more $$$ for your boy :)
- negetive : they seem to be on hiring spree and am afraid to junp ship after seeing the recent coinbase layoffs. fintech is scary these days
- negetive : if they are hiring people like me, then then they are probably hiring people worse than me 😂. although thats not my concern what my main concer is how they interviewed. they have hired a 3rd party company that takes interviews of people FOR THEM! i find that extremely impolite, like they don't even wanna spare their devs to hire people they are gonna work with. i find this a toxic, robotic culture and if these are the people in there then i would have a terrible time finding some buddy engineer or some helpful senior.
- negetive : most probably a bad wlb : i worked for an year for a fast paced b2c edtech startup. no matter how old these are , b2c are always shipping new stuff and are therefore hectic. i don't like the boredom here but i would miss the free time to workout :(
so ... any thoughts about it?4
Top Tags
Weekly Rant
View