Using eval() as a “kill switch” in PHP?

I have several WordPress plugins. Once, one of my plugins generated a PHP error in the admin panel. This prevented the blog owners from upgrading or deleting my plugin.
I want put PHP commands on a text file on my website, and make the plugin periodically check the page for new commands. Then use eval() to execute the commands.

What are some downsides to this? Other than the plugin will have to make an extra request.

Related posts

Leave a Reply

2 comments

  1. Yes. In general eval = evil. In this case, if you page gets hacked or compromised, this can now be cascaded to all your users of your plugin. I can highly recommend against this kind of actions.

  2. So, you screwed up the plugin and hencyby the update mechanism. Using a remote url include() is not a good failsafe against this. I would rather advise that you split up the plugin functionality, and the plugin admin backend.

    I realize WP might not aid this separation of concerns, but it might be the more advisable approach here. — Btw, you might get more concrete recommendations or solutions on WordPress.SE for this topic.