Eliminate one eval() with dynamic variables

paragonie · May 11, 2024 · 5c96226 · 5c96226
1 parent 52927fd
commit 5c96226
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/src/InputFilterContainer.php b/src/InputFilterContainer.php
@@ -79,24 +79,32 @@ public function filterValue(string $key, $multiDimensional)
         /** @var array|string $filtered */
         $filtered =& $multiDimensional;
 
-        /**
-         * @security This shouldn't be escapable. We know eval is evil, but
-         *           there's not a more elegant way to process this in PHP.
-         */
+        $var = '';
         if (\is_array($multiDimensional)) {
             $var = '$multiDimensional';
             foreach ($pieces as $piece) {
+                $_var = substr($var, 1);
+                if (is_null(${$_var})) {
+                    ${$var} = [];
+                }
+
                 $append = '[' . self::sanitize($piece) . ']';
 
+                if (!isset(${$var . $append})) {
+                    ${$var . $append} = null;
+                    $var .= $append;
+                    break;
+                }
                 // Alphabetize the parent array
-                eval(
-                    'if (!isset(' . $var . $append . ')) {' . "\n" .
-                    '    ' . $var . $append . ' = null;' . "\n" .
-                    '}' . "\n" .
-                    '\ksort(' . $var . ');' . "\n"
-                );
+                if (is_array(${$var})) {
+                    ksort(${$var});
+                }
                 $var .= $append;
             }
+            /**
+             * @security This shouldn't be escapable. We know eval is evil, but
+             *           there's not a more elegant way to process this in PHP.
+             */
             eval('$filtered =& ' . $var. ';');
         }