pattam
Member
Our website got hacked today and I'm hunting down all the issues that could have been compromised. Installed a plugin called Threat Scan Plugin which looks for exploits and it reported on the the use of eval() function in Gravity Forms code. Are the use of eval() legitimate in Gravity Forms code? If not and I need to reinstall the plugin, is there an easy way to maintain the old setup and database?
Cheers. Patrick.
The eval() function in Gravity Forms is legitimate. It is used to perform calculations. We safeguard the eval() call by only allowing numbers and specific math operators (i.e. + - * etc..) to be run through the eval() function, so it can only be used to perform math calculations, and not to execute random code.
Just wanted to add to what Alex said above, that the screenshot you sent us via Priority Support contains some false positives. It's flagging "doubleval" in the queries contained in your screenshot as being "eval" when it is not. As Alex said, we are using it in a legitimate way and it's not being used in a way that could pose any kind of security risk.
Despite the fact some people seem to think ALL eval() usage is evil, bad practice or used to hide malicious code... that is like saying PHP is evil and can be used to hide malicious code. It's a function and when used properly and by a programmer that knows what he is doing, it's just another function that can be used to accomplish a goal. There's nothing bad or malicious about it when used properly.
