Will It Vibe logoWill It Vibe?
PHP-001High severity-15 points

eval() usage

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

eval() executes its argument as PHP code. Any path from user-controlled data to an eval() call is arbitrary code execution, and even when the argument looks fixed today it is a magnet for that bug being introduced later.

Why it matters

eval() runs its argument as PHP, so any request-influenced string that reaches it is remote code execution. It also defeats static analysis and makes bugs hard to spot in review, since the actual behavior at that line depends entirely on runtime data. Attackers scan specifically for a reachable eval() because it is usually the shortest path to full server compromise.

How to fix it

Replace eval() with the concrete operation it stands in for: a match/switch statement instead of dynamically building code, json_decode instead of evaluating a string as an array literal, or a real templating/expression library if the goal is genuinely dynamic behavior. If it only loads a config-like array, load that from a required file or JSON instead.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks