Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.execution

Avoid dynamic PHP code execution

Do not execute runtime-generated PHP via eval, string assert, or create_function.

#Metadata

Rule ID
php.security.no-dynamic-eval
Severity
high
Confidence
0.94
Languages
php
Presets
security, strict
Stability
stable
Applies to
block
Tags
execution, injection, php, rules-catalog, security

#Why it matters

Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.

#Remediation

Replace eval, string assert, and create_function with explicit control flow, parsing, or allowlisted dispatch.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.no-dynamic-eval.rule.yaml.

Back to directoryOpen rule in repository