The PHP eval() function provides a quick and convenient way of executing string values as PHP code, especially in the initial phases of development or for debugging. However, when used with unknown inputs, it can leave your application vulnerable to code injection. Here’s a typical example of quick-and-dirty query string processing – just a simple echo command, like you might use for debugging parameters:
<?php eval ("echo ".$_REQUEST["user_name"].";"); ?>
http://www.example.com/index.php?user_name=admin;phpinfo();
http://www.example.com/index.php?user_name=admin;system('ls -l');