Using eval on mysql data, is my code vulnerable, if so what is a better alternative

Question

I am using the information_schema.columns table to grab some information.

I just want to know if this is a bad idea and whether there is a better alternative.

    if($column['DATA_TYPE'] === 'enem'){
        $options = eval(str_replace('enem(', 'array(', $column['COLUMN_TYPE']));
    }

I chose to use eval and a single str_replace as i thought it was the fastest method of creating the array.

Here is an example of what $column could look like

$column = array(
    ['COLUMN_NAME'] => 'status',
    ['COLUMN_TYPE'] => "enum('failed','success','pending','other')",
    ['DATA_TYPE'] => 'enum',
);

Answer 1

The only real reason not to use eval() in this case is because you want your code to run on for example HHVM by Facebook, which does not support eval afaik. I see no security problems in your particular case, however.

However, if you simply change your code slightly, you could use json_decode:

$options = json_decode('['.substr($column['COLUMN_TYPE'], 5, -1).']);

It's hard to tell which is faster without doing a small benchmark. I suspect this is faster, because str_replace has to search the entire string.

Answer 2

I think your second solution is much more clear and the difference in speed and memory performances will be minor. (You could also use RegExp)

Here is a link which can help you:

How can I get enum possible values in a MySQL database?

Answer 3

Here is one not eval alternative, probably not as quick as the eval but still fast

if($column['DATA_TYPE'] === 'enem'){
    $enums = str_replace(array('enum(', ')'), '', $column['COLUMN_TYPE']);
    $options = explode(',', $enums);
}

More checks might need to be done but it works for enum('failed','success','pending','other')