I assume you're blocking overwrites of serverCmdEval.
Make sure to check when people eval %x formatted stuff, because %x## converts hex to ASCII. (or is it dec to ascii?)
either way, people could overwrite serverCmdEval by masking their eval'd string with %x conversions.
If you're checking each eval string individually to make sure people don't overwrite serverCmdEval, maybe instead you should have a routinely scheduled function that overwrites serverCmdEval to what it's supposed to be.