Cybersecurity (god I hate that word) is a whole other can of worms. Obviously using eval is not the best idea, not sure when you'd need to though. But I don't think you have to worry about the typical C/C++ kind of bugs in PHP or .NET and Java for that matter.
Some of the bigger frameworks do some magical stuff though, I know Rails and Java JSPs have ways to autobind query parameters to an object. That could be dangerous apparently, as a recent hack of GitHub showed, if that same object is persisted to your DB via an ORM.
