die
Below was given a way to prevent eval'd code for interfering with global variables. Otherwise fine idea, which sadly does not work with malicious code. Global variables can be reached from inside of function easily, with or without eval, thus not making eval a way to prevent access to global variables:
<?php
function localeval($code) {
eval($code);
}
$a = "a";
echo '$a before eval code: ' . $a . "\n"; // prints "a"
localeval('$a = \'b\';');
echo '$a after localeval: ' . $a . "\n"; // still prints "a"
eval('$a = \'b\';');
echo '$a after eval: ' . $a . "\n"; // prints "b"
localeval('$GLOBALS["a"] = "c";');
echo '$a after another localeval: ' . $a . "\n"; // will print "c"
localeval('global $a;$a = "2097";');
echo '$a after third localeval: ' . $a . "\n"; // will print "2097"
?>
I personally find it slightly frustrating that PHP cannot be used for code that allows plugins, unless the code is extremely well designed.
eval
(PHP 4, PHP 5)
eval — 文字列を PHP コードとして評価する
説明
指定した code
を PHP コードとして評価します。
警告
eval() は非常に危険な言語構造です。 というのも、任意の PHP コードを実行できてしまうからです。 これを使うことはおすすめしません。 いろいろ検討した結果どうしても使わざるを得なくなった場合は、細心の注意を払って使いましょう。 ユーザーから受け取ったデータをそのまま渡してはいけません。 渡す前に、適切な検証が必要です。
パラメータ
-
code -
有効な PHP コード。これを評価します。
PHP 開始タグを含めてはいけません。つまり、 '<? echo "Hi!"; >' ではなく 'echo "Hi!";' を渡さなければならないということです。 適切に PHP タグを使えば、PHP モードからいったん抜けてもう一度 PHP モードに戻るということも可能です。 たとえば、このようになります。 'echo "PHP モード!"; ?>HTML モード!<? echo "ふたたび PHP モード!";'
それはさておき、渡すコードは PHP として有効な形式でなければなりません。 つまり、すべての文はセミコロンで終了する必要があるということです。 たとえば 'echo "やあ!"' はパースエラーになりますが、 'echo "やあ!";' は動作します。
return 文は、コードの評価をただちに終了します。
コードの実行は、eval() を呼び出したスコープ内で行われます。 したがって、eval() の中で定義したり変更したりした変数は eval() を抜けた後でも参照可能です。
返り値
評価されるコードの中で return が
コールされない限り、eval() は NULL を返します。
return がコールされた場合は、その値を返します。
評価されるコードの中でパースエラーが発生した場合は、
eval() は FALSE を返します。
それ以降のコードは通常通り実行されます。
eval() の中でのパースエラーを
set_error_handler()
で捕捉することはできません。
例
例1 eval() の例 - 簡単なテキストのマージ
<?php
$string = 'cup';
$name = 'coffee';
$str = 'This is a $string with my $name in it.';
echo $str. "\n";
eval("\$str = \"$str\";");
echo $str. "\n";
?>
上の例の出力は以下となります。
This is a $string with my $name in it. This is a cup with my coffee in it.
add a note
User Contributed Notes
eval
f3000d at gmail dot com
27-May-2012 05:02
wbcarts at juno dot com
23-May-2012 10:26
PHP? OR JUST TEXT?
When I am testing code, sometimes I want to see the code ALONG WITH the output. For example, if I am testing this:
for($i = 0; $i < 10; $i++)
{
$die1 = rand(1, 6); // roll die 1
$die2 = rand(1, 6); // roll die 2
$dieTotal = $die1 + $die2;
echo "[$die1][$die2] = $dieTotal\n";
}
I want to see the entire thing outputted to my browser like so:
---- starting from here ----
for($i = 0; $i < 10; $i++)
{
$die1 = rand(1, 6); // roll die 1
$die2 = rand(1, 6); // roll die 2
$dieTotal = $die1 + $die2;
echo "[$die1][$die2] = $dieTotal\n";
}
[5][2] = 7
[1][5] = 6
[5][1] = 6
[3][2] = 5
[3][6] = 9
[5][1] = 6
[6][6] = 12
[1][2] = 3
[4][5] = 9
[1][2] = 3
---- all the way to here ----
With eval() AND a simple TEXT file, I can do that. Just copy the code you are testing into a 'test.txt' file. Note: NO PHP TAGS should be in this file, AND leave a couple of blank lines at the end of the file.
Now in the PHP script, be sure to include the HTML <pre> tags like so:
<pre>
<?php
include('test.txt');
eval(file_get_contents('test.txt'));
?>
</pre>
When the contents of 'test.txt' is ran through the include() function, PHP does not consider it PHP code -- this is because there are no PHP tags in the file and gets outputted straight to the browser. However, when the contents are run through the eval() function, that is a different story -- it is nothing but, pure PHP code!
sc1n at yahoo dot com
28-Mar-2012 12:57
If you would like to handle doing an eval on a string with mixed PHP and other stuff such as HTML, you can use the following:
Example:
<?php
$test_string = 'A friendly llama <?php 1 == 1 ? "spit on" : "hugged"; ?> me';
$p = new PhpStringParser();
echo $p->parse($mixed_string);
?>
Result:
A friendly llama spit on me
You can optionally make variables that are outside of the string you are parsing available to the eval level scope by passing them into the constructor.
Example:
<?php
$llama_action = 'hugged';
$test_string = 'A friendly llama <?=$llama_action?> me';
$p = new PhpStringParser(array('llama_action', $llama_action));
echo $p->parse($mixed_string);
?>
Result:
A friendly llama hugged me
<?php
class PhpStringParser
{
protected $variables;
public function __construct($variables = array())
{
$this->variables = $variables;
}
protected function eval_block($matches)
{
if( is_array($this->variables) && count($this->variables) )
{
foreach($this->variables as $var_name => $var_value)
{
$$var_name = $var_value;
}
}
$eval_end = '';
if( $matches[1] == '<?=' || $matches[1] == '<?php=' )
{
if( $matches[2][count($matches[2]-1)] !== ';' )
{
$eval_end = ';';
}
}
$return_block = '';
eval('$return_block = ' . $matches[2] . $eval_end);
return $return_block;
}
public function parse($string)
{
return preg_replace_callback('/(\<\?=|\<\?php=|\<\?php)(.*?)\?\>/', array(&$this, 'eval_block'), $string);
}
}
?>
bohwaz
04-Feb-2012 10:51
If you want to allow math input and make sure that the input is proper mathematics and not some hacking code, you can try this:
<?php
$test = '2+3*pi';
// Remove whitespaces
$test = preg_replace('/\s+/', '', $test);
$number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
$functions = '(?:sinh?|cosh?|tanh?|abs|acosh?|asinh?|atanh?|exp|log10|deg2rad|rad2deg|sqrt|ceil|floor|round)'; // Allowed PHP functions
$operators = '[+\/*\^%-]'; // Allowed math operators
$regexp = '/^(('.$number.'|'.$functions.'\s*\((?1)+\)|\((?1)+\))(?:'.$operators.'(?2))?)+$/'; // Final regexp, heavily using recursive patterns
if (preg_match($regexp, $q))
{
$test = preg_replace('!pi|π!', 'pi()', $test); // Replace pi with pi function
eval('$result = '.$test.';');
}
else
{
$result = false;
}
?>
I can't guarantee you absolutely that this will block every possible malicious code nor that it will block malformed code, but that's better than the matheval function below which will allow malformed code like '2+2+' which will throw an error.
socram8888 at gmail dot com
12-Nov-2011 12:18
It may be a bit obvious, but if you don't want eval'd code to interfere with main code variables, all you have to do is to call an eval from another function like this:
<?php
function localeval($code) {
return eval($code);
};
$a = "a";
echo '$a before eval code: ' . $a . "\n"; // prints "a"
localeval('$a = \'b\';');
echo '$a after localeval: ' . $a . "\n"; // still prints "a"
eval('$a = \'b\';');
echo '$a after eval: ' . $a . "\n"; // prints "b"
?>
kevin at NOSPAM dot schinkenbraten dot de
20-Oct-2011 05:23
Hey guys.
With the eval()-function it is possible to create functions with specific names.
Imagine if you have an Array and want to create some function of these names.
<?php
// Setting up the names for the functions.
$names = Array ( "foo", "bar", "test", "foobar");
$prefix = "func_";
// Running a loop for the names and setting up the functions.
foreach ($names as $j) {
$function = $prefix.$j;
$code = "function ".$function." () {
echo '".$j."<br />';
}";
eval($code);
}
// Now we can run the functions easily now.
func_foo();
func_bar();
func_test();
func_foobar();
?>
Output will be:
foo
bar
test
foobar
--------
The point is that you don't have to run the function from a variable [create_function()].
I hope this is helpful for someone. ;) Kevin
sfinktah at php dot spamtrak dot org
09-Apr-2011 04:17
If you really want a bullet-proof eval, you can use a socket_pair and fork(). (Not tested under windows).
<?php
function lookupErrorCode($errno) { static $lookup = false;
if ($lookup == false) foreach (array("E_ERROR", "E_WARNING", "E_PARSE", "E_NOTICE",
"E_CORE_ERROR", "E_CORE_WARNING", "E_COMPILE_ERROR", "E_COMPILE_WARNING",
"E_USER_ERROR", "E_USER_WARNING", "E_USER_NOTICE", "E_STRICT", "E_RECOVERABLE_".
"ERROR", "E_DEPRECATED", "E_USER_DEPRECATED") as $k => $v) $lookup[1<<$k] = $v;
return (!empty($lookup[$errno]) ? $lookup[$errno] : "UNKNOWN"); }
function child_exit_handler($socket = NULL) {
static $paired_socket = false;
if ($socket || $socket === false) return $paired_socket = $socket;
if ($paired_socket) {
$e = error_get_last();
$result = "ERROR_" . lookupErrorCode($e["type"]) . ": {$e["message"]}";
if (socket_write($paired_socket, $result, strlen($result)) === false)
echo "socket_write() failed. Reason: ".socket_strerror(socket_last_error($sockets[0]));
socket_close($sockets[0]);
}
exit(2); # Child Process Dies, writing an error to it's paired socket.
}
function forked_eval($eval) {
$sockets = array();
/* On Windows we need to use AF_INET */
$domain = (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN' ? AF_INET : AF_UNIX);
/* Setup socket pair */
if (socket_create_pair($domain, SOCK_STREAM, 0, $sockets) === false) {
echo "socket_create_pair failed. Reason: ".socket_strerror(socket_last_error());
}
switch ($child = pcntl_fork()) {
case -1:
throw new Exception("Could not fork");
case 0:
# Child Thread
register_shutdown_function("child_exit_handler");
child_exit_handler($sockets[0]); # Register the socket
$result = serialize(eval($eval));
child_exit_handler(false); # We didn't crash
if (socket_write($sockets[0], $result, strlen($result)) === false)
echo "socket_write() failed. Reason: ". socket_strerror(socket_last_error($sockets[0]));
socket_close($sockets[0]);
exit(3);
default :
# Parent Thread
if (($nread = socket_recv($sockets[1], $data, 1<<16, 0)) < 1)
echo "socket_read() failed. Reason: ".socket_strerror(socket_last_error($sockets[1]));
if (!strncmp($data, "ERROR_", 6)) {
return substr($data, 6); # throw new Exception(substr($data, 6));
}
socket_close($sockets[1]);
return unserialize($data);
}
}
function safe_eval($cmd, $str = false, $file = false, $line = false, $context = false) {
static $err_strings = array();
if ($cmd === true) return count($err_strings) ? $err_strings : false;
if ($str !== false)
return ($err_strings[] = lookupErrorCode($cmd) . ": $str in $file on line $line") && true;
$err_strings = array(); $old_error_handler = set_error_handler(__FUNCTION__, E_ALL);
$rv = @eval("return true; $cmd") ? forked_eval($cmd)
: ($or = error_get_last()) && call_user_func_array(__FUNCTION__, $or);
restore_error_handler(); return $rv;
}
foreach (array( "return sleep(2) && foobar();"
, "return date('Y-m-d');" , "return touch('/error/error/error') ? 'OK' : 'Failed';"
, "return ==" , "return 2 + array();" , "return foobar();" , "return 2;") as $cmd) {
printf("\nAttempting to evaluate: $cmd\n"); $rv = safe_eval($cmd);
printf("%s\n", ($e = safe_eval(true)) ? "ERROR: $e" : "Result: $rv"); }
?>
Mark Simon
01-Mar-2011 03:29
I have looked for a simple way of forcing PHP to interpolate strings after the event (that is, after they have already been assigned, say from a text file).
The following seems to work:
<?php
$text='$a + $b = $c';
$a=2; $b=3; $c=$a+$b;
print eval("return<<<END\n$text\nEND;\n");
?>
I have even tried it with some potentially evil code, but the context seems to preclude interpreting it as anything other than a string.
Mark
Jordan Rutty
27-Feb-2011 07:52
This function is to automatically sort a 2 dimensional array (like that from mysql fetches) into unlimited dimension array's
<?php
/*
@param $array mysql fetch array
@param $row_key array of rowkeys to be used ex array('country', 'state', 'city');
*/
function LoopRowKey($array, $row_key, &$result=null){
foreach($array as $key => $value){
$i='';
$row_key = (array)$row_key;
foreach($row_key as $var){
if(isset($value[$var])){
$var = $value[$var];
$i .= "['$var']";
}
}
eval("\$result$i".'[]'." = \$value;");
}
return $result;
}
//this function will turn:
$array = array{
array{
'id' => '1',
'country' => 'canada',
'state' => 'QC',
'city' => 'montreal',
}
array{
'id' => '2',
'country' => 'canada',
'state' => 'ON',
'city' => 'toronto',
}
array{
'id' => '3',
'country' => 'canada',
'state' => 'QC',
'city' => 'quebec',
}
};
$row_key = array('country', 'state');
$result = LoopRowKey($array, $row_key);
//will give
$result = array{
'canada' => array{
'QC' => {
'0' => array{
'id' => '1',
'country' => 'canada',
'state' => 'QC',
'city' => 'montreal',
}
'1' => array{
'id' => '3',
'country' => 'canada',
'state' => 'QC',
'city' => 'quebec',
}
}
}
'ON' => {
'0' => array{
'id' => '2',
'country' => 'canada',
'state' => 'ON',
'city' => 'toronto',
}
}
};
?>
piyush25378 at gmail dot com
26-Nov-2010 01:18
When using the eval() function like
eval('?>' . $data['content'] . '<?');
Please be sure to check that the short_open_tag is on in php.ini. Otherwise it will append the opening tag to the string.
If you are using eval function like
eval('?>' . $data['content'] . '<?php'); and you have short_open_tag on there will be parse error. So if it is required to use function like this turn off short_open_tags.
Also it is advisable to put a space after <?php to avoid any accidental error.
jason at joeymail dot net
21-Sep-2010 12:03
An alternative to using eval to mimic include - is to just use include on an in-memory stream. This allows a user-cooked class to pretend it is a stream, so methods which expect a stream or URL will be happy (like include)
i) register a global variable stream wrapper using stream_wrapper_register(). (search the man page for "Example class registered as stream wrapper")
ii) use file_get_contents (or db read or...) to read your php script into a global variable.
eg
$GLOBALS['yourvar']=file_get_contents('somefile.php');
iii) call include with the URL you registered. Using the example wrapper above:
include 'var://yourvar';
Easy as. Not a magic regexp in sight! Enjoy.
php at rijkvanwel dot nl
13-Sep-2010 07:41
To catch a parse error in eval()'ed code with a custom error handler, use error_get_last() (PHP >= 5.2.0).
<?php
$return = eval( 'parse error' );
if ( $return === false && ( $error = error_get_last() ) ) {
myErrorHandler( $error['type'], $error['message'], $error['file'], $error['line'], null );
// Since the "execution of the following code continues normally", as stated in the manual,
// we still have to exit explicitly in case of an error
exit;
}
?>
php at dynamicplus dot it
02-Jul-2010 03:53
Please note that using
eval( 'return TRUE;?>' . $sPhpCode );
is not safe to check if syntax is correct... as this will procuce a fatal error (uncatchable)....
eval( 'return TRUE;?><?php empty( function($var) ); ?>' );
using empty() on a non-pure variable will produce a
compilation error!
darkhogg (foo) gmail (bar) com
30-Mar-2010 10:33
The following code
<?php
eval( '?> foo <?php' );
?>
does not throw any error, but prints the opening tag.
Adding a space after the open tag fixes it:
<?php
eval( '?> foo <?php ' );
?>
vladimiroski at gmail dot com
25-Feb-2010 03:18
Please note that when you do something like this:
<?php
eval('?>' . $code . '<?');
?>
You must end it with '<?' because the following will give you a parse error:
<?php
eval('?>' . $code . '<?php');
?>
Somehow eval() only likes PHP opening short-tag AKA '<?' but fails with '<?php'
john dot risken at gmail dot com
25-Feb-2010 10:35
A simple use of eval:
Sometimes you want to know both the value of a variable being passed to a function and its name. Passing by reference can get you there, but only through a lot of convolutions (as far as I can tell!)
But by using the stem of a variable's name, there are two methods to achieve this.
Say that
<?php
$emailName="me@example.com";
?>
You can pass this information thusly:
First, if you have the stem, "emailName', in a string var
<?php
$theVarStem="emailName";
?>
you can recover the value of the original variable like this:
<?php
$theVarValue=eval("return \$$theVarStem;");
?>
Using 'return' inside the eval is the trick that makes it work - something inherent in the documentation but not at all obvious to me.
Unless $emailName has global scope, this method won't work inside a function. For that purpose, you can do the following:
<?php
myFunction(compact("emailName"))
function myFunction($theInfo)
{
$theVarStem=key($theInfo);
$theVarValue=current($theInfo);
//...
}
?>
I apologize if all this seems too obvious: it took me a lotta sloggin' to figure it out.
ajo at NO dot SPAM dot mydevnull dot net
05-Jan-2010 01:15
Inspired from the users microvalen at NOSPAM dot microvalen dot com and javis, i combined their notes and came up with a very simple "template engine", for testing purposes (to save the time and trouble of downloading and including a real template engine like the Smarty):
<?php
$var = 'dynamic content';
echo eval('?>' . file_get_contents('template.phtml') . '<?');
?>
and the template.phtml:
<html>
<head>
<!-- ... -->
</head>
<body>
<!-- ... -->
<?=$var?>
<!-- ... -->
</body>
</html>
This is something i use a lot (specially when studying new PHP Libraries or trying new jQuery plugins) and i think it might help others too.
Nico
11-Aug-2009 03:27
eval and namespace
For those who wonder: since eval executes the code in another context than the current script, it is possible to evaluate code that uses a particular namespace without changing the current one (and it does not trigger an error if there is no namespace and the evaluated one is not at the top of the script).
Exemple:
<?php
namespace Foo;
echo 'namespace 1: '.__NAMESPACE__."\n";
eval('namespace Bar;
class BarClass {}
echo \'namespace 2: \'.__NAMESPACE__."\n";');
echo 'namespace 1 again: '.__NAMESPACE__."\n";
?>
output:
namespace 1: Foo
namespace 2: Bar
namespace 1 again: Foo
And it will create the class Bar\BarClass.
Also, the eval code will not belong to the namespace of the code that do the eval:
<?php
namespace Foo;
echo 'namespace 1: '.__NAMESPACE__."\n";
eval('class BarClass {}
echo \'namespace 2: \'.__NAMESPACE__."\n";');
?>
output:
namespace 1: Foo
namespace 2: // global namespace
cmr at expansys dot com
31-Jul-2009 12:20
Fixed matheval function when percentage is less than 10:
<?php
function matheval($equation)
{
$equation = preg_replace("/[^0-9+\-.*\/()%]/","",$equation);
// fix percentage calcul when percentage value < 10
$equation = preg_replace("/([+-])([0-9]{1})(%)/","*(1\$1.0\$2)",$equation);
// calc percentage
$equation = preg_replace("/([+-])([0-9]+)(%)/","*(1\$1.\$2)",$equation);
// you could use str_replace on this next line
// if you really, really want to fine-tune this equation
$equation = preg_replace("/([0-9]+)(%)/",".\$1",$equation);
if ( $equation == "" )
{
$return = 0;
}
else
{
eval("\$return=" . $equation . ";" );
}
return $return;
}
?>
webmaster at drakkofox dot net
29-May-2009 09:08
Never, Never ever forget the ";" on the end of the eval string, if you are adding it to eval a variable attribuition;
<?php
$data = "$key"."_$sequence";
eval("\$idct=\$idedit_$data;");
?>
we took a long time to discover that the problem was a ";" missing in the end.
JURGEN AT PERSON DOT BE
12-Mar-2009 01:46
I updated my code because there are many abuses of the function eval() in phpscripts to break security, privacy, to perform callbacks, to execute commands on the server by remote. This could not be allowed in a professional environment which often deals with sensitive, important or financial data.
Code obfuscation is not a safe solution to protect Your source at all. As I do disagree with some programmers to use any ( ! ) solution to encrypt php code. I advocate to not scramble code and to not implement call home events (which hit the firewall or reverse proxy anyway). Call backs do violate privacy of the user. It can be considered as spyware, theft of information. All serverside code should be readable to to verify if no sensitive information is transfered to the vendor or to verify it is not malware. Running scrambled code is as dangerous as to run a server without any security measures. That's why some hosting providers refuse to run scrambled code on their servers. As programmer, the best way You can do is to create many revisions of Your code, as to provide additional plugins, services and support for registered users. So do not encrypt a single line of code at all, do follow the opensource standard and do respect privacy and the right of verification of the user of your scripts.
So here is an updated version, to use with PHP-CLI If it fails in the process, You can invoke with the verbose option so You can follow the process and alter this code.
----- snippet denest.php.sh -----------
#!/usr/bin/php
<?php
// FILE: denest.php.sh
// perform chmod +x denest.php.sh
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <webmaster@purechocolates.com>\n\n";
/* invokation php-cli: #php denest.php <your_nested_script.php> <verbose empty,0=OFF 1=ON> */
$filename_full = $argv[1];
$verbose = (bool) $argv[2];
$filename_base = basename ($filename_full,'.php');
$content = "";
echo "Using: ".$filename_base.".php\n";
echo "Read...\n";
$fp1 = fopen ($filename_full, "r");
$content = fread ($fp1, filesize ($filename_full));
fclose($fp1);
echo "Decode...\n";
while ( is_nested($content) ) $content=denest($content);
dump($content,TRUE);
function is_nested ($text) {
return preg_match("/eval\(gzinflate/",$text);
}
function denest ($text) {
global $verbose;
$text=preg_replace("/<\?php|<\?|\?>/", "", $text);
if ($verbose) dump ($text,FALSE);
eval(preg_replace("/eval/", "\$text=", $text));
if ($verbose) dump ($text,FALSE);
return $text;
}
function dump ($text,$final) {
static $counter = 0 ;
global $filename_base;
$filename_new = ($final) ? ($filename_base.".done.php") : ($filename_base.".".sprintf("%04d", ++$counter).".php");
echo "Writing ".$filename_new."\n";
$fp2 = fopen($filename_new,"w");
fwrite($fp2, trim($text));
fclose($fp2);
}
?>
----- snippet denest.php.sh -----------
microvalen at NOSPAM dot microvalen dot com
21-Feb-2009 10:44
very simple example to includea html file:
<?php
$simple_var = 'This is a simple var';
eval("\$file=\"" . addslashes(implode("", file("test.html"))) . "\";");
print $file;
?>
and the html:
<body>
$simple_var
</body>
javis
09-Feb-2009 01:54
you can actually run strings with html and php code. To do that you need to append ?> and <? simbols like this:
<?php eval("?>" . $code . "<?"); ?>
php at stock-consulting dot com
28-Nov-2008 08:16
Magic constants like __FILE__ may not return what you expect if used inside eval()'d code. Instead, it'll answer something like "c:\directory\filename.php(123) : eval()'d code" (under Windows, obviously, checked with PHP5.2.6) - which can still be processed with a function like preg_replace to receive the filename of the file containing the eval().
Example:
<?php
$filename = preg_replace('@\(.*\(.*$@', '', __FILE__);
echo $filename;
?>
maurice at chandoo dot de
07-Nov-2008 03:20
<?php
function safe_eval($code,&$status) { //status 0=failed,1=all clear
//Signs
//Can't assign stuff
$bl_signs = array("=");
//Language constructs
$bl_constructs = array("print","echo","require","include","if","else",
"while","for","switch","exit","break");
//Functions
$funcs = get_defined_functions();
$funcs = array_merge($funcs['internal'],$funcs['user']);
//Functions allowed
//Math cant be evil, can it?
$whitelist = array("pow","exp","abs","sin","cos","tan");
//Remove whitelist elements
foreach($whitelist as $f) {
unset($funcs[array_search($f,$funcs)]);
}
//Append '(' to prevent confusion (e.g. array() and array_fill())
foreach($funcs as $key => $val) {
$funcs[$key] = $val."(";
}
$blacklist = array_merge($bl_signs,$bl_constructs,$funcs);
//Check
$status=1;
foreach($blacklist as $nono) {
if(strpos($code,$nono) !== false) {
$status = 0;
return 0;
}
}
//Eval
return @eval($code);
}
?>
Note: Try to include this after all of your other self-defined functions and consider whether the blacklist is appropriate for your purpose
I wouldn't recommend this function if you're going to use eval extensively in your script. However, it's worth a try if you are going to put user input into eval
alexis at amigo dot com
04-Nov-2008 08:20
eval vs include
i have to make a script to take code from a database and excute it, but i'm not sure is eval was hight server load than include, so i take the example of Luke at chaoticlogic dot net and test it, the results are great for eval:
test.php
<?php
//establish a blank integer
$increment=0;
//establish the code to be executed
//one hundred million times
$code="\$increment++;";
//remember the time this test started
$started=time();
//execute $code on hundred million times
for ($i=0;$i<100000;$i++) {
eval($code);
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Eval()ed code took $spent seconds to execute 100,000 times.\n";
//re-establish that same blank integer
$increment=0;
//remember the time this second test
//started
$started=time();
//execute the test again, with
//pre-parsed code
for ($i=0;$i<100000;$i++) {
include("increment.php");
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Included file with Pre-parsed code took $spent seconds to execute 100,000 times.\n";
?>
increment.php
<?php
$increment++;
?>
Eval()ed code took 0 seconds to execute 100,000 times. Included file with Pre-parsed code took 17 seconds to execute 100,000 times.
i change 100,000,000 for 100,000 because the script take so much time
Mark dot Sheppard at disney dot com
30-Oct-2008 03:13
One thing to note is that an exit() call inside an eval() exits the entire script, *not* just the eval(), which is what you'd expect if you've ever used eval() in any other language. This makes it somewhat useless in my opinion.
luke at cywh dot com
17-Sep-2008 01:12
Finally, a good use for eval :)!
If you want to be able to check for syntax errors WITHOUT executing the code, add "return true;" before all the code. All execution of the code stops after that mark, and makes eval returns true on no syntax errors, and false on syntax errors.
This is especially useful for anyone making a template system.
Here's a working example:
<?php
function check_syntax($code) {
return @eval('return true;' . $code);
}
print "<b>No Code execution:</b><br />\n";
$code = "print \"<b><i>hello! you don't want me...</i></b><br />\n\";";
var_dump(check_syntax($code)); // Good syntax
print "<br />\n";
var_dump(check_syntax($code . ' ==')); // Bad syntax
print "<br />\n";
print "<b>Code Executed...Bad</b>:<br />\n";
var_dump(eval($code) === null); // Good syntax
print "<br />\n";
var_dump(@eval($code . ' ==') === null); // Bad syntax
?>
asohn at aircanopy dot net
11-Sep-2008 01:45
<?php
$hello[2][4][6][8][10] = 'this is a test';
$w = "[2]";
$o = "[4]";
$r = "[6]";
$l = "[8]";
$d = "[10]";
echo 'hello, '.eval("return \$hello$w$o$r$l$d;");
?>
The above will output:
hello, this is a test
marco at harddisk dot is-a-geek dot org
30-Jun-2008 10:44
eval does not work reliably in conjunction with global, at least not in the cygwin port version.
So:
<?PHP
class foo {
//my class...
}
function load_module($module) {
eval("global \$".$module."_var;");
eval("\$".$module."_var=&new foo();");
//various stuff ... ...
}
load_module("foo");
?>
becomes to working:
<?PHP
class foo {
//my class...
}
function load_module($module) {
eval('$GLOBALS["'.$module.'_var"]=&new foo();');
//various stuff ... ...
}
load_module("foo");
?>
Note in the 2nd example, you _always_ need to use $GLOBALS[$module] to access the variable!
trukin at gmail dot com
11-Jun-2008 08:58
The EVAL function can be used as a fast Template system.
<?php
function parseTemplate($template, $params=array()) {
foreach ($params as $k=>$v) {
$$k = $v;
}
ob_start();
eval("?>" . implode("", file($template)) . "<?");
$c = ob_get_contents();
ob_end_flush();
return $c;
}
?>
Example:
<?php
echo parseTemplate("myTemplate.php", array('account'=>$row));
?>
and myTemplate.php can be like
<?php foreach($account as $k=>$v) : ?>
<?php echo $k; ?>: <?php echo $v; ?>
<?php endforeach; ?>
Ivan Zahariev
02-Apr-2008 01:09
It seems that the Magic constants (http://www.php.net/manual/en/language.constants.predefined.php) do NOT work in an eval()'ed code.
Probably because PHP substitutes these statically when it compiles the source code of your PHP script initially.
So the following will not work as expected:
<?php
function user_func1() {
echo "User function name: ".__FUNCTION__."\n";
eval('echo "in eval(): User function name: ".__FUNCTION__."\n";');
}
?>
Calling user_func1() will output:
User function name: user_func1
User function name:
Luke at chaoticlogic dot net
02-Apr-2008 12:26
I thought it was pertinent to demonstrate just how slow the eval() function is when compared to pre-parsed code, so I wrote this.
In my case, it took 54 seconds to execute the code 100,000,000 times through eval(), and only 4 seconds with pre-parsed code.
<?php
//establish a blank integer
$increment=0;
//establish the code to be executed
//one hundred million times
$code="\$increment++;";
//remember the time this test started
$started=time();
//execute $code on hundred million times
for ($i=0;$i<10000000;$i++) {
eval($code);
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Eval()ed code took $spent seconds to execute 100,000,000 times.\n";
//re-establish that same blank integer
$increment=0;
//remember the time this second test
//started
$started=time();
//execute the test again, with
//pre-parsed code
for ($i=0;$i<10000000;$i++) {
$increment++;
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Pre-parsed code took $spent seconds to execute 100,000,000 times.\n";
?>
I wish there was some way to parse code, store the pre-parsed binary in a variable, and then tell PHP to execute that variable as if it was part of the program.
Ipseno at yahoo dot com
25-Feb-2008 10:24
If you attempt to call a user defined function in eval() and .php files are obfuscated by Zend encoder, it will result in a fatal error.
Use a call_user_func() inside eval() to call your personal hand made functions.
This is user function
<?php
function square_it($nmb)
{
return $nmb * $nmb;
}
?>
//Checking if eval sees it?
<?php
$code = var_export( function_exists('square_it') );
eval( $code ); //returns TRUE - so yes it does!
?>
This will result in a fatal error:
PHP Fatal error: Call to undefined function square_it()
<?php
$code = 'echo square_it(55);' ;
eval( $code );
?>
This will work
<?php
$code = 'echo call_user_func(\'square_it\', 55);' ;
eval( $code );
?>
pierrotevrard at gmail dot com
03-Jul-2007 08:58
A wonderful world of eval() applications
You certainly know how to simulate an array as a constant using eval(), not ? See the code below:
<?php
if( ! defined('MY_ARRAY') )
{
define( 'MY_ARRAY' , 'return ' . var_export( array( 1, 2, 3, 4, 5 ) , true ) . ';' );
}
?>
And far, far away in your code...
<?php
$my_array = eval( MY_ARRAY );
?>
But the grandeur of eval is when you use it to customize some method of a class :
<?php
if( ! class_exists( 'my_class' ) )
{
class my_class
{
//private propreties
var $_prop;
var $_custom_check = 'return true;'; //of course, I want a default check code that return true
//PHP4 constructor
function my_class()
{
$this -> _prop = eval( MY_ARRAY );
}
function customize_check( $code )
{
$this -> _custom_check = $code;
}
function check( $val )
{
return eval( $this -> _custom_check );
}
}
}
$my_class = new my_class();
$check = 'return in_array( $val , $this -> _prop , true );';
$my_class -> customize_check( $check );
print '<pre>';
if( $my_class -> check( 1 ) )
{
echo '1 is checked as true.' . "\n";
}
else
{
echo '1 is checked as false.' . "\n";
}
//show: 1 is checked as true.
if( $my_class -> check( '1' ) )
{
echo '"1" is checked as true.' . "\n";
}
else
{
echo '"1" is checked as false.' . "\n";
}
//show: "1" is checked as false.
print '</pre>';
?>
The application of eval() using propreties of a class gives you so much possibilities...
Of course, combinate with a safer eval code, will be better but if you use it only in your code ( for framework project by example ) that's note necessary...
Have fun.
udo dot schroeter at gmail dot com
26-May-2007 11:40
Safer Eval
eval() is used way to often. It slows down code, makes it harder to maintain and it created security risks. However, sometimes, I found myself wishing I could allow some user-controlled scripting in my software, without giving access to dangerous functions.
That's what the following class does: it uses PHP's tokenizer to parse a script, compares every function call against a list of allowed functions. Only if the script is "clean", it gets eval'd.
<?php
class SaferScript {
var $source, $allowedCalls;
function SaferScript($scriptText) {
$this->source = $scriptText;
$this->allowedCalls = array();
}
function allowHarmlessCalls() {
$this->allowedCalls = explode(',',
'explode,implode,date,time,round,trunc,rand,ceil,floor,srand,'.
'strtolower,strtoupper,substr,stristr,strpos,print,print_r');
}
function parse() {
$this->parseErrors = array();
$tokens = token_get_all('<?'.'php '.$this->source.' ?'.'>');
$vcall = '';
foreach ($tokens as $token) {
if (is_array($token)) {
$id = $token[0];
switch ($id) {
case(T_VARIABLE): { $vcall .= 'v'; break; }
case(T_STRING): { $vcall .= 's'; }
case(T_REQUIRE_ONCE): case(T_REQUIRE): case(T_NEW): case(T_RETURN):
case(T_BREAK): case(T_CATCH): case(T_CLONE): case(T_EXIT):
case(T_PRINT): case(T_GLOBAL): case(T_ECHO): case(T_INCLUDE_ONCE):
case(T_INCLUDE): case(T_EVAL): case(T_FUNCTION): {
if (array_search($token[1], $this->allowedCalls) === false)
$this->parseErrors[] = 'illegal call: '.$token[1];
}
}
}
else
$vcall .= $token;
}
if (stristr($vcall, 'v(') != '')
$this->parseErrors[] = array('illegal dynamic function call');
return($this->parseErrors);
}
function execute($parameters = array()) {
foreach ($parameters as $k => $v)
$$k = $v;
if (sizeof($this->parseErrors) == 0)
eval($this->source);
else
print('cannot execute, script contains errors');
}
}
?>
Usage example:
<?php
$ls = new SaferScript('horribleCode();');
$ls->allowHarmlessCalls();
print_r($ls->parse());
$ls->execute();
?>
Of course it is not entirely safe, but it's a start ;-)
kai dot chan at kaisystems dot co dot uk
16-Mar-2007 03:06
Since JSON started becoming popular. I've started applying the same idea to PHP arrays. Its an alternative to using XML or CSV. For example:
<?php
$from_external_source = '( "a" => "1", "b" => array( "b1" => "2", "b2" => "3" ) )';
eval( '$external_source_as_array = array'.$from_external_source.';' );
if ( is_array( $external_source_as_array ) ) {
// now you can work with the external source as an array
print_r( $external_source_as_array );
}
?>
It can be less verbose than XML, but provide more meta data than CSV, and unlike CSV, data ordering is not an issue.
I used it when I wanted to store log data externally in a text file.
Kai
f dot boender at electricmonk dot nl
15-Jan-2007 12:39
Errors that occur in evaluated code are hard to catch. burninleo at gmx dot net posted some code below that will buffer the output of the evaluated code and search the output for errors. Another way you can do this would be using a custom error handler that's only in effect during the eval() of the code. A very (very) crude example:
<?php
$errors = array();
function error_hndl($errno, $errstr) {
global $errors;
$errors[] = array("errno"=>$errno, "errstr"=>$errstr);
}
function evale ($code) {
global $errors;
$errors = array();
$orig_hndl = set_error_handler("error_hndl");
eval($code);
restore_error_handler();
}
evale('print("foo" . $bar);'); // Undefined variable: bar
var_dump($errors);
//fooarray(1) {
// [0]=>
// array(2) {
// ["errno"]=>
// int(8)
// ["errstr"]=>
// string(23) "Undefined variable: bar"
// }
//}
?>
This will however not catch syntax errors in the code you're trying to eval. This can cause your script to stop with a fatal error inside the eval(). You can catch syntax errors using the Parsekit PECL extension. The parsekit_compile_string() function will try to compile a piece of PHP code and will catch syntax errors if they occur. To extend the earlier piece of code:
<?php
$errors = array();
function error_hndl($errno, $errstr) {
global $errors;
$errors[] = array("errno"=>$errno, "errstr"=>$errstr);
}
function evale ($code) {
global $errors;
$errors = array(); // Reset errors
$orig_hndl = set_error_handler("error_hndl");
if (parsekit_compile_string($code, &$errors, PARSEKIT_QUIET)) {
eval($code);
}
restore_error_handler();
if (count($errors) > 0) {
return(false);
} else {
return(true);
}
}
if (!evale('print("foo . $bar);')) { // syntax error, unexpected $end (no closing double quote)
var_dump($errors);
}
?>
(NOTE: Please do not use the code above directly in your program. It's merely a proof-of-concept).
Dale Kern, Salt Lake City
10-Oct-2006 10:16
If you are trying to get eval() to run a string as if it were from an include file, try this:
<?php eval("?>".$string); ?>
Eval starts in PHP Script mode, break into html mode first thing and you're done.
Nova912
21-Jul-2006 01:17
Well let me just start off by saying that eval(); confused the heck out of me untill I read that you can use Return.
This will help anyone who wants to "Inject" code into an IF statement. My example is a survey site, some questions are required, some are only required if others are checked. So let me share with you my dynamic script and show you how I was able to make a Dynamic IF Statement.
The code below had been altered to be understandable.
<?php
$survey_number = 3 // The third survey. (Out of 10 Surveys)
$rq[3] = array(1,2,3,4,5,6,8,9,11,13,15,17,19,20); // Required Questions for Survey 3 - Some of these can not be "NULL" (not NULL) or they will stop the script from going any further. (In my script I replaced any questions that were not answered with "NULL" using a for loop based on the number of questions in the survey)
$aa[3][4] = ' && '.$q[3].' == "1"'; // Added Arguments - 3 = Survey 3's Arguments, 4= Argument belongs to question 4, $q[1-20] (20 Questions total in this case.
//HERE IS THE DYNAMIC IF STATEMENT
$count = count($rq[$survey_number]);
for ($i=0;$i< $count;$i++)
{
$if_statement = '$q['.$rq[$survey_number][$i].'] == "NULL"';
if(isset($aa[$survey_number][$rq[$survey_number][$i]]))
{
$if_statement .= $aa[$survey_number][$rq[$survey_number][$i]];
}
if(eval("return ".$if_statement.";"))
{
echo $rq[$survey_number][$i].': Is NULL and IS NOT ok.<br>';
}
else
{
echo $rq[$survey_number][$i].': Is NULL and IS ok.<br>';
}
}
?>
In my experiance with this the Added Argument needs to have an actual value inplanted into the string, it did not work by just putting $q[3], i had to use '.$q[3].' to place the value of question 3 in the string.
I hope this help someone, I spent so much time trying to figure this out and want to share how something this simple is done.
Thank you.
brettz9 a/- yah00 do/- com
05-Jul-2006 02:19
I was trying to build a multidimensional array to an unknown dimension (within a loop or "while") and found that eval is, as far as I can tell, the only simple way to solve the problem.
<?php
$arr = array(2,
array("v", "q", 5,
array(5, 8, "g"),
"x"));
$i=3;
$key1 = "[1]";
$key2 = "[".$i."]"; // E.g., could build this conditionally within a loop
$key3 = "[2]";
$keys = $key1.$key2.$key3; // Can add as many keys as needed (could be done instead via a loop with repeated calls to .= )
print $arr{$keys}; // This does not work
print $arr[$keys]; // This also does not work
// However...
eval("\$value = \$arr{$keys};");
print $value; // Correctly prints "g"
?>
burninleo at gmx dot net
25-May-2006 05:51
The only way to retreive information on parse errors in eval'd code seems to be the output buffering.
<?PHP
// Append a return true to php-code to check on errors
$code.= "\nreturn true;";
// Send any output to buffer
ob_start();
// Do eval()
$check = eval($code);
$output = ob_get_contents();
ob_end_clean();
// Send output or report errors
if ($check === true) {
echo $output;
} else {
// Manually parse output for errors and
// generate usable information for the user
// especially content of error-lines.
$pattern = '/^\s*Parse error\s*:(.+) in (.+) on line (\d+)\s*$/m';
etc ...
}
jkuckartz1984 at hotmail dot com
29-Jan-2006 04:01
Might you have to do eval in if statements, you will find it's quite some task to make it work.
The only way to make it work is to make a reference to the eval'd variable. This example will show the different usage of eval in if-statements. It simply becomes clear that an eval() in an if() is not working as you want to.
<?php
$total2=5;
$total3=0;
$i=2;
if (eval("\$total".$i.";")) {
echo "eval: total2 is full<br>";
} else {
echo "eval: total2 is empty<br>";
}
// returns "empty"
// eval without the ";" will generate a warning
$str="\$refer=&\$total".$i.";";
eval($str);
if ($refer) {
echo "eval: total2 is full<br>";
} else {
echo "eval: total2 is empty<br>";
}
// returns "full"
?>
Sarangan Thuraisingham
20-Jan-2006 05:47
The eval function can be misused for Cross Site Scripting(XSS) as well. Les say we have this very trivial page that allows a user to enter a text and see it formated using different styles. If the site designer was lazy and used eval function to come up with somethig like this:
<?php
$mytxt = $_GET["text"];
$strFormats = array( '<h1>$mytxt</h1>',
'<h2>$mytxt</h2>',
'<span class="style1">$mytxt</span>'); //so on
foreach ($strFormats as $style){
eval("echo $style;");
}
?>
This page could be a target for XSS, because user input is not validated. So the hacker could enter any valid PHP commands and the site will execute it. Imagine what could happen if the injected script reads files like config.php and passed it to the hacker's site.
If the file permissions are not set correctly, the injected script could modify the current script. A form's action parameter can be set to a hacker's site or worse every transaction could be secretly posted to another website from within the server. Injected script could be something like this:
<?php
$filename=basename($_SERVER['PHP_SELF']);
$fp = fopen($filename, "a");
$str = echo "<!-- XSS Vulnerability-->"; // could be any PHP command
fwrite($fp, $str);
fclose($fp);
?>
The golden rule is don't trust the user. Always validate data from the client side.
jurgen at person dot be
18-Dec-2005 09:27
eval() is used to protect (read: hide) source code. A well known way to encrypt some php code is security through obscurity. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.
E.g.
<?php
eval(gzinflate(base64_decode('AjHRawIHG1ypUpudV.....')));
?>
However this can be decoded in this way:
<?php
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}
echo "3. Writing decoded.txt\n";
$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>
onlyphp
24-Nov-2005 06:59
To simulate the register_globals setting in php.ini, you must put it in the top of your php page:
<?php
function rg() {
$ar = array($_POST, $_GET, $_SESSION, $_SERVER);
foreach($ar as $ar_) {
foreach($ar_as $key => $value) {
eval("\$" . $key . " = \"" . $value . "\";");
}
}
}
?>
matt at mattsoft dot net
10-Sep-2005 10:23
to load a php file to a variable then execute it, try this
<?php
$code=file_get_contents("file.php");
$code=str_replace('<'.'?php','<'.'?',$code);
$code='?'.'>'.trim($code).'<'.'?';
eval($code);
?>
using < ?php within eval does not work, but < ? does. in case there is html in the file loaded, the script doesn't remove the < ?php and ? >, but insted adds ? > and < ? around the code loaded from the file. it's simple and works very well. I also broke up the tags in the 3rd and 4th lines of code to keep from having problems if the lines are commented out.
sadi at unicornsoftbd dot com
03-Sep-2005 06:49
I m going to give you my recent exploration about eval. I think you dont need all those complex functions using regex to work HTML in your code. when ever you call eval(), php thinks that it is within <? ?> tags. so all the problem rises. to solve the problem just close your php tag at first of the HTML string, then write the HTML string and then start the php tag.
this is some thing like:
<?php
$teststr="?><html><body>this is the test</body></html><?php";
eval($teststr);
?>
i think this will work for you. at least this worked for me. if you find any problem with this please reply
zcox522 at gmail dot com
17-Aug-2005 12:03
If you send headers after you call the eval() function, you may get this error:
PHP Error: (2) Cannot modify header information - headers already sent by (output started at something...)
In this case, surround your call to eval() with calls to some ob functions:
<?php
$eval = "some code you want to execute";
ob_start();
eval($eval);
ob_end_clean();
?>
admiral [at] nuclearpixel [dot] com
15-Aug-2005 01:02
This function will take any combination of HTML and (properly opened and closed)PHP that is given in a string, and return a value that is the HTML and the RESULT of that PHP code and return them both combined in the order that they were originally written.
I tried using both the eval_html(gave me carp about using 's and "s in the HTML) and html_eval2(gave me the results of the PHP first, then all of the HTML afterwards) posted by the other users on this function's notes, but for some reason, neither of them would really work the way I had understood that they would work,(or in the case of some of my code, work at all)
So I combined the best of what I saw in both, and created eval_html3
<?php
function my_eval($arr) {
return ('echo stripslashes("'.addslashes($arr[0]).'");');
}
function eval_html3($string) {
$string = '<?php ?>'.$string.'<?php ?>';
$string = str_replace( '?>', '', str_replace( array( '<?php', '<?' ), '', preg_replace_callback( "/\?>(.*?)(<\?php|<\?)/", "my_eval", $string ) ) );
return eval($string);
}
?>
Good luck!
jphansen at uga dot edu
08-Aug-2005 12:43
I used eval() to restore a user's session data. I stored $_SESSION to a field in a database as
<?php
addslashes(var_export($_SESSION, TRUE))
?>
To restore it, I executed this code:
<?php
eval("\$_SESSION = $session;");
// $session being the first line of code above
?>
Voila! Session restored.
Without eval(), $_SESSION = $session would have resulted in $_SESSION being a string instead of an array.
the dank
29-Jul-2005 04:26
<?php
$foo1 = "the good,<br>";
$foo2 = "the bad,<br>";
$foo3 = "the ugly.";
for ($i=1; $i <=3; $i++)
{
eval("\$_SESSION['myVar$i'] = \$foo".$i.";");
}
//use below to show what's in session:
echo "<h3>SESSION</h3>";
echo "<table border=1 width=50%>";
echo "<tr bgcolor=\"#3399FF\">";
echo "<td><b><font color=\"#FFFFFF\">Variable Name</font></b></td>";
echo "<td><b><font color=\"#FFFFFF\">Value</font></b></td></tr>";
while(list($key, $val) = each($_SESSION))
{
echo "<tr><td>$key</td><td><b>$val</b></td></tr>";
}
echo "</table>";
die();
/*---------------------------------------------------------
Prints:
myVar1 the good,
myVar2 the bad,
myVar3 the ugly.
*/
?>
privat at timo-damm dot de
29-Jul-2005 01:03
Using the html_eval() some notes above I experienced problems related to *dirty* html. This function is less critical:
<?php
function html_eval2($string) {
return preg_replace_callback("/<\?php(.*?)\?>/","my_eval",$string);
}
function my_eval($arr) {
return eval($arr[1]);
}
?>
Timo
andrejkw
23-Jun-2005 05:50
To use eval output as a variable without the user seeing the output, use this:
<?php
ob_start();
eval("whatever you want");
$eval_buffer = ob_get_contents();
ob_end_clean();
echo $eval_buffer;
?>
Everything that eval produces will now be stored inside $eval_buffer.
Jesse
18-Jun-2005 01:25
a cool way to use eval is to convert strings into variable names.
this is a subsitute for using arrays.
look at this code:
<?php
for($a=1; $a<=5; $a++){
eval("$"."variable".$a."=".$a.";");
}
?>
this will create variables called variable1, variable2, and so on, that are equal to 1, 2, and so on.
i recently used this to help a friend make a Flash game that sent variables like that to PHP.
1413 at blargh dot com
09-Jun-2005 12:58
Just a note when using eval and expecting return values - the eval()'ed string must do the returning. Take the following example script:
<?php
function ReturnArray()
{
return array("foo"=>1, "bar"=>2);
}
$test = eval("ReturnArray();");
print("Got back $test (".count($test).")\n");
$test = eval("return ReturnArray();");
print("Got back $test (".count($test).")\n");
?>
You will get back:
Got back (0)
Got back Array (2)
This ran me afoul for a little bit, but is the way eval() is supposed to work (eval is evaluating a new PHP script).
jtraenkner
10-Apr-2005 09:11
Using eval inside loops is very slow, so try avoiding code like
<?php
for($i=0;$i<10;$i++) {
eval('do_something()');
}
?>
If you absolutely have to, include the entire loop in eval:
<?php
eval('for($i=0;$i<10;$i++) {'.
'do_something();'.
'}');
?>
tom
28-Mar-2005 11:59
Eval can't be used as a callback function so if you want to use the eval function name dynamically use this simple work around:
<?php
if ($function_name == "eval")
{
eval($stuff);
}
else
{
$function_name($stuff);
}
?>
Ben Grabkowitz
26-Mar-2005 06:57
The eval function becomes incredibly useful when dealing with static class members and variables.
For instance:
Lets say you have 3 classes; Foo, BarA and BarB, where BarA and BarB are children of Foo.
Now lets also say that both BarA and BarB contain a static member function called getDataSource().
To call getDataSource() you would have to use the syntax:
<?php
BarA::getDataSource();
BarB::getDataSource();
?>
But lets say you need to access getDataSource() from inside class Foo during an instance of either BarA or BarB.
You can use eval to do something like this:
<?php
eval('$dataSource=' . get_class($this) . '::getDataSource();');
?>
francois at bonzon dot com
27-Feb-2005 07:20
An obvious security reminder, which I think wasn't yet mentioned here. Special care is required when variables entered by the user are passed to the eval() function. You should validate those user inputs, and really make sure they have the format you expect.
E.g., if you evaluate math expressions with something like
<?php
eval("\$result = $equation;");
?>
without any check on the $equation variable, a bad user could enter in the $equation field
""; echo file_get_contents('/etc/passwd')
- or whatever PHP code he wants! - which would evaluate to
<?php
$result = ""; echo file_get_contents('/etc/passwd');
?>
and seriously compromising your security!
avenger at buynet dot com dot br
08-Feb-2005 08:52
This is a small code that uses 'eval' with a foreach (maybe 'for' loop), to fill variables. This is very useful in some hard situations:
<html><title>for loop</title><body><p align=center>
<?php
$thing = array("a","b","c");
$a = "bah" ; $b = "bleh2"; $c = "bluh3";
print("Vars b4: $a, $b, $c. ");
foreach ( $thing as $thingy ) {
print("$thingy, ");
eval("\$$thingy = \"$thingy\";");
};
print("vars aft: $a, $b, $c.");
?>
</p></body></html>
arnico at c4 dot lv
21-Dec-2004 03:28
Dynamically loading php pages!
In michael example ( 02-Sep-2004 05:16) is one big problem. Try to load php page with this content :
-----------------------
<?php
$a = 1;
if($a == 1){
?>
<br />ir?<br />
<?php
}
?>
------------------------
Ups? :) maybe easier way is to do something like that ? please comments :
<?php
function eval_html($string) {
$string = preg_replace("/\?>(.*?)(<\?php|<\?)/si", "echo \"\\1\";",$string);
$string = str_replace("<?php", "", $string);
$string = str_replace("?>", "", $string);
return eval($string);
}
$filename = "page.php";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo eval_html($contents);
?>
The html source will be replaced with echo. and problem is gone :) or there are other problems ? please comments.
P.S. sorry about my bad English
mahaixing at hotmail dot com
08-Oct-2004 08:49
When using Dynamic Proxy design pattern we must create a class automaticly. Here is a sample code.
<?php
$clazz = "class SomeClass { var \$value = 'somevalue'; function show() { echo get_class(\$this);}}";
eval($clazz);
$instance = new SomeClass;
// Here output 'somevalue';
echo $instance->value;
echo "<br>";
//Here output 'someclass'
$instance->show();
?>
evildictaitor at hotmail dot com
15-Aug-2004 01:00
Be careful when using eval() on heavy usage sites in PHP 4.0+ as it takes vastly longer to activate due to the limitations of the Zend engine.
The Zend engine changes the PHP to a binary structure at the START of the file, and then parses it. Every time an eval is called, however, it has to reactivate the parsing procedure and convert the eval()'d code into usable binary format again.
Basically, if you eval() code, it takes as long as calling a new php page with the same code inside.
12-Jul-2004 09:37
Kepp the following Quote in mind:
If eval() is the answer, you're almost certainly asking the
wrong question. -- Rasmus Lerdorf, BDFL of PHP