die
eval and namespace
For those who wonder: since eval executes the code in another context than the current script, it is possible to evaluate code that uses a particular namespace without changing the current one (and it does not trigger an error if there is no namespace and the evaluated one is not at the top of the script).
Exemple:
<?php
namespace Foo;
echo 'namespace 1: '.__NAMESPACE__."\n";
eval('namespace Bar;
class BarClass {}
echo \'namespace 2: \'.__NAMESPACE__."\n";');
echo 'namespace 1 again: '.__NAMESPACE__."\n";
?>
output:
namespace 1: Foo
namespace 2: Bar
namespace 1 again: Foo
And it will create the class Bar\BarClass.
Also, the eval code will not belong to the namespace of the code that do the eval:
<?php
namespace Foo;
echo 'namespace 1: '.__NAMESPACE__."\n";
eval('class BarClass {}
echo \'namespace 2: \'.__NAMESPACE__."\n";');
?>
output:
namespace 1: Foo
namespace 2: // global namespace
eval
(PHP 4, PHP 5)
eval — Evaluate a string as PHP code
Descrierea
Evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution.
There are some factors to keep in mind when using eval(). Remember that the string passed must be valid PHP code, including things like terminating statements with a semicolon so the parser doesn't die on the line after the eval(), and properly escaping things in code_str . To mix HTML output and PHP code you can use a closing PHP tag to leave PHP mode.
Also remember that variables given values under eval() will retain these values in the main script afterwards.
Parametri
- code_str
-
The code string to be evaluated. code_str does not have to contain PHP Opening tags.
A return statement will immediately terminate the evaluation of the string .
Valorile întroarse
eval() returns NULL unless return is called in the evaluated code, in which case the value passed to return is returned. If there is a parse error in the evaluated code, eval() returns FALSE and execution of the following code continues normally. It is not possible to catch a parse error in eval() using set_error_handler().
Exemple
Example #1 eval() example - simple text merge
<?php
$string = 'cup';
$name = 'coffee';
$str = 'This is a $string with my $name in it.';
echo $str. "\n";
eval("\$str = \"$str\";");
echo $str. "\n";
?>
Exemplul de mai sus va afişa:
This is a $string with my $name in it. This is a cup with my coffee in it.
Note
Notă: Deoarece aceasta este o construcţie a limbajului şi nu o funcţie, ea nu poate fi apelată utilizând funcţii de operare cu variabile
Sfat
La fel ca şi orice program/script ce afişează rezultatele direct în browser, funcţiile de control al ieşirilor pot fi utilizate pentru a capta ieşirea acestei funcţii şi de a o salva într-un string (spre exemplu).
Notă: In case of a fatal error in the evaluated code, the whole script exits.
add a note
User Contributed Noteseval
Nico
11-Aug-2009 10:27
11-Aug-2009 10:27
cmr at expansys dot com
31-Jul-2009 07:20
31-Jul-2009 07:20
Fixed matheval function when percentage is less than 10:
<?php
function matheval($equation)
{
$equation = preg_replace("/[^0-9+\-.*\/()%]/","",$equation);
// fix percentage calcul when percentage value < 10
$equation = preg_replace("/([+-])([0-9]{1})(%)/","*(1\$1.0\$2)",$equation);
// calc percentage
$equation = preg_replace("/([+-])([0-9]+)(%)/","*(1\$1.\$2)",$equation);
// you could use str_replace on this next line
// if you really, really want to fine-tune this equation
$equation = preg_replace("/([0-9]+)(%)/",".\$1",$equation);
if ( $equation == "" )
{
$return = 0;
}
else
{
eval("\$return=" . $equation . ";" );
}
return $return;
}
?>
webmaster at drakkofox dot net
29-May-2009 04:08
29-May-2009 04:08
Never, Never ever forget the ";" on the end of the eval string, if you are adding it to eval a variable attribuition;
<?php
$data = "$key"."_$sequence";
eval("\$idct=\$idedit_$data;");
?>
we took a long time to discover that the problem was a ";" missing in the end.
JURGEN AT PERSON DOT BE
12-Mar-2009 09:46
12-Mar-2009 09:46
I updated my code because there are many abuses of the function eval() in phpscripts to break security, privacy, to perform callbacks, to execute commands on the server by remote. This could not be allowed in a professional environment which often deals with sensitive, important or financial data.
Code obfuscation is not a safe solution to protect Your source at all. As I do disagree with some programmers to use any ( ! ) solution to encrypt php code. I advocate to not scramble code and to not implement call home events (which hit the firewall or reverse proxy anyway). Call backs do violate privacy of the user. It can be considered as spyware, theft of information. All serverside code should be readable to to verify if no sensitive information is transfered to the vendor or to verify it is not malware. Running scrambled code is as dangerous as to run a server without any security measures. That's why some hosting providers refuse to run scrambled code on their servers. As programmer, the best way You can do is to create many revisions of Your code, as to provide additional plugins, services and support for registered users. So do not encrypt a single line of code at all, do follow the opensource standard and do respect privacy and the right of verification of the user of your scripts.
So here is an updated version, to use with PHP-CLI If it fails in the process, You can invoke with the verbose option so You can follow the process and alter this code.
----- snippet denest.php.sh -----------
#!/usr/bin/php
<?php
// FILE: denest.php.sh
// perform chmod +x denest.php.sh
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <webmaster@purechocolates.com>\n\n";
/* invokation php-cli: #php denest.php <your_nested_script.php> <verbose empty,0=OFF 1=ON> */
$filename_full = $argv[1];
$verbose = (bool) $argv[2];
$filename_base = basename ($filename_full,'.php');
$content = "";
echo "Using: ".$filename_base.".php\n";
echo "Read...\n";
$fp1 = fopen ($filename_full, "r");
$content = fread ($fp1, filesize ($filename_full));
fclose($fp1);
echo "Decode...\n";
while ( is_nested($content) ) $content=denest($content);
dump($content,TRUE);
function is_nested ($text) {
return preg_match("/eval\(gzinflate/",$text);
}
function denest ($text) {
global $verbose;
$text=preg_replace("/<\?php|<\?|\?>/", "", $text);
if ($verbose) dump ($text,FALSE);
eval(preg_replace("/eval/", "\$text=", $text));
if ($verbose) dump ($text,FALSE);
return $text;
}
function dump ($text,$final) {
static $counter = 0 ;
global $filename_base;
$filename_new = ($final) ? ($filename_base.".done.php") : ($filename_base.".".sprintf("%04d", ++$counter).".php");
echo "Writing ".$filename_new."\n";
$fp2 = fopen($filename_new,"w");
fwrite($fp2, trim($text));
fclose($fp2);
}
?>
----- snippet denest.php.sh -----------
microvalen at NOSPAM dot microvalen dot com
22-Feb-2009 06:44
22-Feb-2009 06:44
very simple example to includea html file:
<?php
$simple_var = 'This is a simple var';
eval("\$file=\"" . addslashes(implode("", file("test.html"))) . "\";");
print $file;
?>
and the html:
<body>
$simple_var
</body>
javis
09-Feb-2009 09:54
09-Feb-2009 09:54
you can actually run strings with html and php code. To do that you need to append ?> and <? simbols like this:
<?php eval("?>" . $code . "<?"); ?>
php at stock-consulting dot com
28-Nov-2008 04:16
28-Nov-2008 04:16
Magic constants like __FILE__ may not return what you expect if used inside eval()'d code. Instead, it'll answer something like "c:\directory\filename.php(123) : eval()'d code" (under Windows, obviously, checked with PHP5.2.6) - which can still be processed with a function like preg_replace to receive the filename of the file containing the eval().
Example:
<?php
$filename = preg_replace('@\(.*\(.*$@', '', __FILE__);
echo $filename;
?>
maurice at chandoo dot de
07-Nov-2008 11:20
07-Nov-2008 11:20
<?php
function safe_eval($code,&$status) { //status 0=failed,1=all clear
//Signs
//Can't assign stuff
$bl_signs = array("=");
//Language constructs
$bl_constructs = array("print","echo","require","include","if","else",
"while","for","switch","exit","break");
//Functions
$funcs = get_defined_functions();
$funcs = array_merge($funcs['internal'],$funcs['user']);
//Functions allowed
//Math cant be evil, can it?
$whitelist = array("pow","exp","abs","sin","cos","tan");
//Remove whitelist elements
foreach($whitelist as $f) {
unset($funcs[array_search($f,$funcs)]);
}
//Append '(' to prevent confusion (e.g. array() and array_fill())
foreach($funcs as $key => $val) {
$funcs[$key] = $val."(";
}
$blacklist = array_merge($bl_signs,$bl_constructs,$funcs);
//Check
$status=1;
foreach($blacklist as $nono) {
if(strpos($code,$nono) !== false) {
$status = 0;
return 0;
}
}
//Eval
return @eval($code);
}
?>
Note: Try to include this after all of your other self-defined functions and consider whether the blacklist is appropriate for your purpose
I wouldn't recommend this function if you're going to use eval extensively in your script. However, it's worth a try if you are going to put user input into eval
alexis at amigo dot com
05-Nov-2008 04:20
05-Nov-2008 04:20
eval vs include
i have to make a script to take code from a database and excute it, but i'm not sure is eval was hight server load than include, so i take the example of Luke at chaoticlogic dot net and test it, the results are great for eval:
test.php
<?php
//establish a blank integer
$increment=0;
//establish the code to be executed
//one hundred million times
$code="\$increment++;";
//remember the time this test started
$started=time();
//execute $code on hundred million times
for ($i=0;$i<100000;$i++) {
eval($code);
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Eval()ed code took $spent seconds to execute 100,000 times.\n";
//re-establish that same blank integer
$increment=0;
//remember the time this second test
//started
$started=time();
//execute the test again, with
//pre-parsed code
for ($i=0;$i<100000;$i++) {
include("increment.php");
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Included file with Pre-parsed code took $spent seconds to execute 100,000 times.\n";
?>
increment.php
<?php
$increment++;
?>
Eval()ed code took 0 seconds to execute 100,000 times. Included file with Pre-parsed code took 17 seconds to execute 100,000 times.
i change 100,000,000 for 100,000 because the script take so much time
Mark dot Sheppard at disney dot com
30-Oct-2008 11:13
30-Oct-2008 11:13
One thing to note is that an exit() call inside an eval() exits the entire script, *not* just the eval(), which is what you'd expect if you've ever used eval() in any other language. This makes it somewhat useless in my opinion.
luke at cywh dot com
17-Sep-2008 08:12
17-Sep-2008 08:12
Finally, a good use for eval :)!
If you want to be able to check for syntax errors WITHOUT executing the code, add "return true;" before all the code. All execution of the code stops after that mark, and makes eval returns true on no syntax errors, and false on syntax errors.
This is especially useful for anyone making a template system.
Here's a working example:
<?php
function check_syntax($code) {
return @eval('return true;' . $code);
}
print "<b>No Code execution:</b><br />\n";
$code = "print \"<b><i>hello! you don't want me...</i></b><br />\n\";";
var_dump(check_syntax($code)); // Good syntax
print "<br />\n";
var_dump(check_syntax($code . ' ==')); // Bad syntax
print "<br />\n";
print "<b>Code Executed...Bad</b>:<br />\n";
var_dump(eval($code) === null); // Good syntax
print "<br />\n";
var_dump(@eval($code . ' ==') === null); // Bad syntax
?>
asohn at aircanopy dot net
11-Sep-2008 08:45
11-Sep-2008 08:45
<?php
$hello[2][4][6][8][10] = 'this is a test';
$w = "[2]";
$o = "[4]";
$r = "[6]";
$l = "[8]";
$d = "[10]";
echo 'hello, '.eval("return \$hello$w$o$r$l$d;");
?>
The above will output:
hello, this is a test
marco at harddisk dot is-a-geek dot org
30-Jun-2008 05:44
30-Jun-2008 05:44
eval does not work reliably in conjunction with global, at least not in the cygwin port version.
So:
<?PHP
class foo {
//my class...
}
function load_module($module) {
eval("global \$".$module."_var;");
eval("\$".$module."_var=&new foo();");
//various stuff ... ...
}
load_module("foo");
?>
becomes to working:
<?PHP
class foo {
//my class...
}
function load_module($module) {
eval('$GLOBALS["'.$module.'_var"]=&new foo();');
//various stuff ... ...
}
load_module("foo");
?>
Note in the 2nd example, you _always_ need to use $GLOBALS[$module] to access the variable!
trukin at gmail dot com
11-Jun-2008 03:58
11-Jun-2008 03:58
The EVAL function can be used as a fast Template system.
<?php
function parseTemplate($template, $params=array()) {
foreach ($params as $k=>$v) {
$$k = $v;
}
ob_start();
eval("?>" . implode("", file($template)) . "<?");
$c = ob_get_contents();
ob_end_flush();
return $c;
}
?>
Example:
<?php
echo parseTemplate("myTemplate.php", array('account'=>$row));
?>
and myTemplate.php can be like
<?php foreach($account as $k=>$v) : ?>
<?php echo $k; ?>: <?php echo $v; ?>
<?php endforeach; ?>
Ivan Zahariev
02-Apr-2008 09:09
02-Apr-2008 09:09
It seems that the Magic constants (http://www.php.net/manual/en/language.constants.predefined.php) do NOT work in an eval()'ed code.
Probably because PHP substitutes these statically when it compiles the source code of your PHP script initially.
So the following will not work as expected:
<?php
function user_func1() {
echo "User function name: ".__FUNCTION__."\n";
eval('echo "in eval(): User function name: ".__FUNCTION__."\n";');
}
?>
Calling user_func1() will output:
User function name: user_func1
User function name:
Luke at chaoticlogic dot net
02-Apr-2008 08:26
02-Apr-2008 08:26
I thought it was pertinent to demonstrate just how slow the eval() function is when compared to pre-parsed code, so I wrote this.
In my case, it took 54 seconds to execute the code 100,000,000 times through eval(), and only 4 seconds with pre-parsed code.
<?php
//establish a blank integer
$increment=0;
//establish the code to be executed
//one hundred million times
$code="\$increment++;";
//remember the time this test started
$started=time();
//execute $code on hundred million times
for ($i=0;$i<10000000;$i++) {
eval($code);
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Eval()ed code took $spent seconds to execute 100,000,000 times.\n";
//re-establish that same blank integer
$increment=0;
//remember the time this second test
//started
$started=time();
//execute the test again, with
//pre-parsed code
for ($i=0;$i<10000000;$i++) {
$increment++;
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Pre-parsed code took $spent seconds to execute 100,000,000 times.\n";
?>
I wish there was some way to parse code, store the pre-parsed binary in a variable, and then tell PHP to execute that variable as if it was part of the program.
Ipseno at yahoo dot com
25-Feb-2008 06:24
25-Feb-2008 06:24
If you attempt to call a user defined function in eval() and .php files are obfuscated by Zend encoder, it will result in a fatal error.
Use a call_user_func() inside eval() to call your personal hand made functions.
This is user function
<?php
function square_it($nmb)
{
return $nmb * $nmb;
}
?>
//Checking if eval sees it?
<?php
$code = var_export( function_exists('square_it') );
eval( $code ); //returns TRUE - so yes it does!
?>
This will result in a fatal error:
PHP Fatal error: Call to undefined function square_it()
<?php
$code = 'echo square_it(55);' ;
eval( $code );
?>
This will work
<?php
$code = 'echo call_user_func(\'square_it\', 55);' ;
eval( $code );
?>
pierrotevrard at gmail dot com
03-Jul-2007 03:58
03-Jul-2007 03:58
A wonderful world of eval() applications
You certainly know how to simulate an array as a constant using eval(), not ? See the code below:
<?php
if( ! defined('MY_ARRAY') )
{
define( 'MY_ARRAY' , 'return ' . var_export( array( 1, 2, 3, 4, 5 ) , true ) . ';' );
}
?>
And far, far away in your code...
<?php
$my_array = eval( MY_ARRAY );
?>
But the grandeur of eval is when you use it to customize some method of a class :
<?php
if( ! class_exists( 'my_class' ) )
{
class my_class
{
//private propreties
var $_prop;
var $_custom_check = 'return true;'; //of course, I want a default check code that return true
//PHP4 constructor
function my_class()
{
$this -> _prop = eval( MY_ARRAY );
}
function customize_check( $code )
{
$this -> _custom_check = $code;
}
function check( $val )
{
return eval( $this -> _custom_check );
}
}
}
$my_class = new my_class();
$check = 'return in_array( $val , $this -> _prop , true );';
$my_class -> customize_check( $check );
print '<pre>';
if( $my_class -> check( 1 ) )
{
echo '1 is checked as true.' . "\n";
}
else
{
echo '1 is checked as false.' . "\n";
}
//show: 1 is checked as true.
if( $my_class -> check( '1' ) )
{
echo '"1" is checked as true.' . "\n";
}
else
{
echo '"1" is checked as false.' . "\n";
}
//show: "1" is checked as false.
print '</pre>';
?>
The application of eval() using propreties of a class gives you so much possibilities...
Of course, combinate with a safer eval code, will be better but if you use it only in your code ( for framework project by example ) that's note necessary...
Have fun.
udo dot schroeter at gmail dot com
26-May-2007 06:40
26-May-2007 06:40
Safer Eval
eval() is used way to often. It slows down code, makes it harder to maintain and it created security risks. However, sometimes, I found myself wishing I could allow some user-controlled scripting in my software, without giving access to dangerous functions.
That's what the following class does: it uses PHP's tokenizer to parse a script, compares every function call against a list of allowed functions. Only if the script is "clean", it gets eval'd.
<?php
class SaferScript {
var $source, $allowedCalls;
function SaferScript($scriptText) {
$this->source = $scriptText;
$this->allowedCalls = array();
}
function allowHarmlessCalls() {
$this->allowedCalls = explode(',',
'explode,implode,date,time,round,trunc,rand,ceil,floor,srand,'.
'strtolower,strtoupper,substr,stristr,strpos,print,print_r');
}
function parse() {
$this->parseErrors = array();
$tokens = token_get_all('<?'.'php '.$this->source.' ?'.'>');
$vcall = '';
foreach ($tokens as $token) {
if (is_array($token)) {
$id = $token[0];
switch ($id) {
case(T_VARIABLE): { $vcall .= 'v'; break; }
case(T_STRING): { $vcall .= 's'; }
case(T_REQUIRE_ONCE): case(T_REQUIRE): case(T_NEW): case(T_RETURN):
case(T_BREAK): case(T_CATCH): case(T_CLONE): case(T_EXIT):
case(T_PRINT): case(T_GLOBAL): case(T_ECHO): case(T_INCLUDE_ONCE):
case(T_INCLUDE): case(T_EVAL): case(T_FUNCTION): {
if (array_search($token[1], $this->allowedCalls) === false)
$this->parseErrors[] = 'illegal call: '.$token[1];
}
}
}
else
$vcall .= $token;
}
if (stristr($vcall, 'v(') != '')
$this->parseErrors[] = array('illegal dynamic function call');
return($this->parseErrors);
}
function execute($parameters = array()) {
foreach ($parameters as $k => $v)
$$k = $v;
if (sizeof($this->parseErrors) == 0)
eval($this->source);
else
print('cannot execute, script contains errors');
}
}
?>
Usage example:
<?php
$ls = new SaferScript('horribleCode();');
$ls->allowHarmlessCalls();
print_r($ls->parse());
$ls->execute();
?>
Of course it is not entirely safe, but it's a start ;-)
kai dot chan at kaisystems dot co dot uk
16-Mar-2007 11:06
16-Mar-2007 11:06
Since JSON started becoming popular. I've started applying the same idea to PHP arrays. Its an alternative to using XML or CSV. For example:
<?php
$from_external_source = '( "a" => "1", "b" => array( "b1" => "2", "b2" => "3" ) )';
eval( '$external_source_as_array = array'.$from_external_source.';' );
if ( is_array( $external_source_as_array ) ) {
// now you can work with the external source as an array
print_r( $external_source_as_array );
}
?>
It can be less verbose than XML, but provide more meta data than CSV, and unlike CSV, data ordering is not an issue.
I used it when I wanted to store log data externally in a text file.
Kai
f dot boender at electricmonk dot nl
15-Jan-2007 08:39
15-Jan-2007 08:39
Errors that occur in evaluated code are hard to catch. burninleo at gmx dot net posted some code below that will buffer the output of the evaluated code and search the output for errors. Another way you can do this would be using a custom error handler that's only in effect during the eval() of the code. A very (very) crude example:
<?php
$errors = array();
function error_hndl($errno, $errstr) {
global $errors;
$errors[] = array("errno"=>$errno, "errstr"=>$errstr);
}
function evale ($code) {
global $errors;
$errors = array();
$orig_hndl = set_error_handler("error_hndl");
eval($code);
restore_error_handler();
}
evale('print("foo" . $bar);'); // Undefined variable: bar
var_dump($errors);
//fooarray(1) {
// [0]=>
// array(2) {
// ["errno"]=>
// int(8)
// ["errstr"]=>
// string(23) "Undefined variable: bar"
// }
//}
?>
This will however not catch syntax errors in the code you're trying to eval. This can cause your script to stop with a fatal error inside the eval(). You can catch syntax errors using the Parsekit PECL extension. The parsekit_compile_string() function will try to compile a piece of PHP code and will catch syntax errors if they occur. To extend the earlier piece of code:
<?php
$errors = array();
function error_hndl($errno, $errstr) {
global $errors;
$errors[] = array("errno"=>$errno, "errstr"=>$errstr);
}
function evale ($code) {
global $errors;
$errors = array(); // Reset errors
$orig_hndl = set_error_handler("error_hndl");
if (parsekit_compile_string($code, &$errors, PARSEKIT_QUIET)) {
eval($code);
}
restore_error_handler();
if (count($errors) > 0) {
return(false);
} else {
return(true);
}
}
if (!evale('print("foo . $bar);')) { // syntax error, unexpected $end (no closing double quote)
var_dump($errors);
}
?>
(NOTE: Please do not use the code above directly in your program. It's merely a proof-of-concept).
Dale Kern, Salt Lake City
10-Oct-2006 05:16
10-Oct-2006 05:16
If you are trying to get eval() to run a string as if it were from an include file, try this:
<?php eval("?>".$string); ?>
Eval starts in PHP Script mode, break into html mode first thing and you're done.
Nova912
21-Jul-2006 08:17
21-Jul-2006 08:17
Well let me just start off by saying that eval(); confused the heck out of me untill I read that you can use Return.
This will help anyone who wants to "Inject" code into an IF statement. My example is a survey site, some questions are required, some are only required if others are checked. So let me share with you my dynamic script and show you how I was able to make a Dynamic IF Statement.
The code below had been altered to be understandable.
<?php
$survey_number = 3 // The third survey. (Out of 10 Surveys)
$rq[3] = array(1,2,3,4,5,6,8,9,11,13,15,17,19,20); // Required Questions for Survey 3 - Some of these can not be "NULL" (not NULL) or they will stop the script from going any further. (In my script I replaced any questions that were not answered with "NULL" using a for loop based on the number of questions in the survey)
$aa[3][4] = ' && '.$q[3].' == "1"'; // Added Arguments - 3 = Survey 3's Arguments, 4= Argument belongs to question 4, $q[1-20] (20 Questions total in this case.
//HERE IS THE DYNAMIC IF STATEMENT
$count = count($rq[$survey_number]);
for ($i=0;$i< $count;$i++)
{
$if_statement = '$q['.$rq[$survey_number][$i].'] == "NULL"';
if(isset($aa[$survey_number][$rq[$survey_number][$i]]))
{
$if_statement .= $aa[$survey_number][$rq[$survey_number][$i]];
}
if(eval("return ".$if_statement.";"))
{
echo $rq[$survey_number][$i].': Is NULL and IS NOT ok.<br>';
}
else
{
echo $rq[$survey_number][$i].': Is NULL and IS ok.<br>';
}
}
?>
In my experiance with this the Added Argument needs to have an actual value inplanted into the string, it did not work by just putting $q[3], i had to use '.$q[3].' to place the value of question 3 in the string.
I hope this help someone, I spent so much time trying to figure this out and want to share how something this simple is done.
Thank you.
brettz9 a/- yah00 do/- com
05-Jul-2006 09:19
05-Jul-2006 09:19
I was trying to build a multidimensional array to an unknown dimension (within a loop or "while") and found that eval is, as far as I can tell, the only simple way to solve the problem.
<?php
$arr = array(2,
array("v", "q", 5,
array(5, 8, "g"),
"x"));
$i=3;
$key1 = "[1]";
$key2 = "[".$i."]"; // E.g., could build this conditionally within a loop
$key3 = "[2]";
$keys = $key1.$key2.$key3; // Can add as many keys as needed (could be done instead via a loop with repeated calls to .= )
print $arr{$keys}; // This does not work
print $arr[$keys]; // This also does not work
// However...
eval("\$value = \$arr{$keys};");
print $value; // Correctly prints "g"
?>
burninleo at gmx dot net
25-May-2006 12:51
25-May-2006 12:51
The only way to retreive information on parse errors in eval'd code seems to be the output buffering.
<?PHP
// Append a return true to php-code to check on errors
$code.= "\nreturn true;";
// Send any output to buffer
ob_start();
// Do eval()
$check = eval($code);
$output = ob_get_contents();
ob_end_clean();
// Send output or report errors
if ($check === true) {
echo $output;
} else {
// Manually parse output for errors and
// generate usable information for the user
// especially content of error-lines.
$pattern = '/^\s*Parse error\s*:(.+) in (.+) on line (\d+)\s*$/m';
etc ...
}
jkuckartz1984 at hotmail dot com
29-Jan-2006 12:01
29-Jan-2006 12:01
Might you have to do eval in if statements, you will find it's quite some task to make it work.
The only way to make it work is to make a reference to the eval'd variable. This example will show the different usage of eval in if-statements. It simply becomes clear that an eval() in an if() is not working as you want to.
<?php
$total2=5;
$total3=0;
$i=2;
if (eval("\$total".$i.";")) {
echo "eval: total2 is full<br>";
} else {
echo "eval: total2 is empty<br>";
}
// returns "empty"
// eval without the ";" will generate a warning
$str="\$refer=&\$total".$i.";";
eval($str);
if ($refer) {
echo "eval: total2 is full<br>";
} else {
echo "eval: total2 is empty<br>";
}
// returns "full"
?>
Sarangan Thuraisingham
21-Jan-2006 01:47
21-Jan-2006 01:47
The eval function can be misused for Cross Site Scripting(XSS) as well. Les say we have this very trivial page that allows a user to enter a text and see it formated using different styles. If the site designer was lazy and used eval function to come up with somethig like this:
<?php
$mytxt = $_GET["text"];
$strFormats = array( '<h1>$mytxt</h1>',
'<h2>$mytxt</h2>',
'<span class="style1">$mytxt</span>'); //so on
foreach ($strFormats as $style){
eval("echo $style;");
}
?>
This page could be a target for XSS, because user input is not validated. So the hacker could enter any valid PHP commands and the site will execute it. Imagine what could happen if the injected script reads files like config.php and passed it to the hacker's site.
If the file permissions are not set correctly, the injected script could modify the current script. A form's action parameter can be set to a hacker's site or worse every transaction could be secretly posted to another website from within the server. Injected script could be something like this:
<?php
$filename=basename($_SERVER['PHP_SELF']);
$fp = fopen($filename, "a");
$str = echo "<!-- XSS Vulnerability-->"; // could be any PHP command
fwrite($fp, $str);
fclose($fp);
?>
The golden rule is don't trust the user. Always validate data from the client side.
jurgen at person dot be
18-Dec-2005 05:27
18-Dec-2005 05:27
eval() is used to protect (read: hide) source code. A well known way to encrypt some php code is security through obscurity. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.
E.g.
<?php
eval(gzinflate(base64_decode('AjHRawIHG1ypUpudV.....')));
?>
However this can be decoded in this way:
<?php
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}
echo "3. Writing decoded.txt\n";
$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>
onlyphp
24-Nov-2005 02:59
24-Nov-2005 02:59
To simulate the register_globals setting in php.ini, you must put it in the top of your php page:
<?php
function rg() {
$ar = array($_POST, $_GET, $_SESSION, $_SERVER);
foreach($ar as $ar_) {
foreach($ar_as $key => $value) {
eval("\$" . $key . " = \"" . $value . "\";");
}
}
}
?>
matt at mattsoft dot net
10-Sep-2005 05:23
10-Sep-2005 05:23
to load a php file to a variable then execute it, try this
<?php
$code=file_get_contents("file.php");
$code=str_replace('<'.'?php','<'.'?',$code);
$code='?'.'>'.trim($code).'<'.'?';
eval($code);
?>
using < ?php within eval does not work, but < ? does. in case there is html in the file loaded, the script doesn't remove the < ?php and ? >, but insted adds ? > and < ? around the code loaded from the file. it's simple and works very well. I also broke up the tags in the 3rd and 4th lines of code to keep from having problems if the lines are commented out.
sadi at unicornsoftbd dot com
03-Sep-2005 01:49
03-Sep-2005 01:49
I m going to give you my recent exploration about eval. I think you dont need all those complex functions using regex to work HTML in your code. when ever you call eval(), php thinks that it is within <? ?> tags. so all the problem rises. to solve the problem just close your php tag at first of the HTML string, then write the HTML string and then start the php tag.
this is some thing like:
<?php
$teststr="?><html><body>this is the test</body></html><?php";
eval($teststr);
?>
i think this will work for you. at least this worked for me. if you find any problem with this please reply
zcox522 at gmail dot com
17-Aug-2005 07:03
17-Aug-2005 07:03
If you send headers after you call the eval() function, you may get this error:
PHP Error: (2) Cannot modify header information - headers already sent by (output started at something...)
In this case, surround your call to eval() with calls to some ob functions:
<?php
$eval = "some code you want to execute";
ob_start();
eval($eval);
ob_end_clean();
?>
admiral [at] nuclearpixel [dot] com
15-Aug-2005 08:02
15-Aug-2005 08:02
This function will take any combination of HTML and (properly opened and closed)PHP that is given in a string, and return a value that is the HTML and the RESULT of that PHP code and return them both combined in the order that they were originally written.
I tried using both the eval_html(gave me carp about using 's and "s in the HTML) and html_eval2(gave me the results of the PHP first, then all of the HTML afterwards) posted by the other users on this function's notes, but for some reason, neither of them would really work the way I had understood that they would work,(or in the case of some of my code, work at all)
So I combined the best of what I saw in both, and created eval_html3
<?php
function my_eval($arr) {
return ('echo stripslashes("'.addslashes($arr[0]).'");');
}
function eval_html3($string) {
$string = '<?php ?>'.$string.'<?php ?>';
$string = str_replace( '?>', '', str_replace( array( '<?php', '<?' ), '', preg_replace_callback( "/\?>(.*?)(<\?php|<\?)/", "my_eval", $string ) ) );
return eval($string);
}
?>
Good luck!
jphansen at uga dot edu
08-Aug-2005 07:43
08-Aug-2005 07:43
I used eval() to restore a user's session data. I stored $_SESSION to a field in a database as
<?php
addslashes(var_export($_SESSION, TRUE))
?>
To restore it, I executed this code:
<?php
eval("\$_SESSION = $session;");
// $session being the first line of code above
?>
Voila! Session restored.
Without eval(), $_SESSION = $session would have resulted in $_SESSION being a string instead of an array.
the dank
29-Jul-2005 11:26
29-Jul-2005 11:26
<?php
$foo1 = "the good,<br>";
$foo2 = "the bad,<br>";
$foo3 = "the ugly.";
for ($i=1; $i <=3; $i++)
{
eval("\$_SESSION['myVar$i'] = \$foo".$i.";");
}
//use below to show what's in session:
echo "<h3>SESSION</h3>";
echo "<table border=1 width=50%>";
echo "<tr bgcolor=\"#3399FF\">";
echo "<td><b><font color=\"#FFFFFF\">Variable Name</font></b></td>";
echo "<td><b><font color=\"#FFFFFF\">Value</font></b></td></tr>";
while(list($key, $val) = each($_SESSION))
{
echo "<tr><td>$key</td><td><b>$val</b></td></tr>";
}
echo "</table>";
die();
/*---------------------------------------------------------
Prints:
myVar1 the good,
myVar2 the bad,
myVar3 the ugly.
*/
?>
privat at timo-damm dot de
29-Jul-2005 08:03
29-Jul-2005 08:03
Using the html_eval() some notes above I experienced problems related to *dirty* html. This function is less critical:
<?php
function html_eval2($string) {
return preg_replace_callback("/<\?php(.*?)\?>/","my_eval",$string);
}
function my_eval($arr) {
return eval($arr[1]);
}
?>
Timo
andrejkw
24-Jun-2005 12:50
24-Jun-2005 12:50
To use eval output as a variable without the user seeing the output, use this:
<?php
ob_start();
eval("whatever you want");
$eval_buffer = ob_get_contents();
ob_end_clean();
echo $eval_buffer;
?>
Everything that eval produces will now be stored inside $eval_buffer.
Jesse
18-Jun-2005 08:25
18-Jun-2005 08:25
a cool way to use eval is to convert strings into variable names.
this is a subsitute for using arrays.
look at this code:
<?php
for($a=1; $a<=5; $a++){
eval("$"."variable".$a."=".$a.";");
}
?>
this will create variables called variable1, variable2, and so on, that are equal to 1, 2, and so on.
i recently used this to help a friend make a Flash game that sent variables like that to PHP.
1413 at blargh dot com
09-Jun-2005 07:58
09-Jun-2005 07:58
Just a note when using eval and expecting return values - the eval()'ed string must do the returning. Take the following example script:
<?php
function ReturnArray()
{
return array("foo"=>1, "bar"=>2);
}
$test = eval("ReturnArray();");
print("Got back $test (".count($test).")\n");
$test = eval("return ReturnArray();");
print("Got back $test (".count($test).")\n");
?>
You will get back:
Got back (0)
Got back Array (2)
This ran me afoul for a little bit, but is the way eval() is supposed to work (eval is evaluating a new PHP script).
jtraenkner
10-Apr-2005 04:11
10-Apr-2005 04:11
Using eval inside loops is very slow, so try avoiding code like
<?php
for($i=0;$i<10;$i++) {
eval('do_something()');
}
?>
If you absolutely have to, include the entire loop in eval:
<?php
eval('for($i=0;$i<10;$i++) {'.
'do_something();'.
'}');
?>
tom
29-Mar-2005 07:59
29-Mar-2005 07:59
Eval can't be used as a callback function so if you want to use the eval function name dynamically use this simple work around:
<?php
if ($function_name == "eval")
{
eval($stuff);
}
else
{
$function_name($stuff);
}
?>
Ben Grabkowitz
27-Mar-2005 02:57
27-Mar-2005 02:57
The eval function becomes incredibly useful when dealing with static class members and variables.
For instance:
Lets say you have 3 classes; Foo, BarA and BarB, where BarA and BarB are children of Foo.
Now lets also say that both BarA and BarB contain a static member function called getDataSource().
To call getDataSource() you would have to use the syntax:
<?php
BarA::getDataSource();
BarB::getDataSource();
?>
But lets say you need to access getDataSource() from inside class Foo during an instance of either BarA or BarB.
You can use eval to do something like this:
<?php
eval('$dataSource=' . get_class($this) . '::getDataSource();');
?>
francois at bonzon dot com
28-Feb-2005 03:20
28-Feb-2005 03:20
An obvious security reminder, which I think wasn't yet mentioned here. Special care is required when variables entered by the user are passed to the eval() function. You should validate those user inputs, and really make sure they have the format you expect.
E.g., if you evaluate math expressions with something like
<?php
eval("\$result = $equation;");
?>
without any check on the $equation variable, a bad user could enter in the $equation field
""; echo file_get_contents('/etc/passwd')
- or whatever PHP code he wants! - which would evaluate to
<?php
$result = ""; echo file_get_contents('/etc/passwd');
?>
and seriously compromising your security!
avenger at buynet dot com dot br
09-Feb-2005 04:52
09-Feb-2005 04:52
This is a small code that uses 'eval' with a foreach (maybe 'for' loop), to fill variables. This is very useful in some hard situations:
<html><title>for loop</title><body><p align=center>
<?php
$thing = array("a","b","c");
$a = "bah" ; $b = "bleh2"; $c = "bluh3";
print("Vars b4: $a, $b, $c. ");
foreach ( $thing as $thingy ) {
print("$thingy, ");
eval("\$$thingy = \"$thingy\";");
};
print("vars aft: $a, $b, $c.");
?>
</p></body></html>
arnico at c4 dot lv
21-Dec-2004 11:28
21-Dec-2004 11:28
Dynamically loading php pages!
In michael example ( 02-Sep-2004 05:16) is one big problem. Try to load php page with this content :
-----------------------
<?php
$a = 1;
if($a == 1){
?>
<br />ir?<br />
<?php
}
?>
------------------------
Ups? :) maybe easier way is to do something like that ? please comments :
<?php
function eval_html($string) {
$string = preg_replace("/\?>(.*?)(<\?php|<\?)/si", "echo \"\\1\";",$string);
$string = str_replace("<?php", "", $string);
$string = str_replace("?>", "", $string);
return eval($string);
}
$filename = "page.php";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo eval_html($contents);
?>
The html source will be replaced with echo. and problem is gone :) or there are other problems ? please comments.
P.S. sorry about my bad English
mahaixing at hotmail dot com
09-Oct-2004 03:49
09-Oct-2004 03:49
When using Dynamic Proxy design pattern we must create a class automaticly. Here is a sample code.
<?php
$clazz = "class SomeClass { var \$value = 'somevalue'; function show() { echo get_class(\$this);}}";
eval($clazz);
$instance = new SomeClass;
// Here output 'somevalue';
echo $instance->value;
echo "<br>";
//Here output 'someclass'
$instance->show();
?>
evildictaitor at hotmail dot com
15-Aug-2004 08:00
15-Aug-2004 08:00
Be careful when using eval() on heavy usage sites in PHP 4.0+ as it takes vastly longer to activate due to the limitations of the Zend engine.
The Zend engine changes the PHP to a binary structure at the START of the file, and then parses it. Every time an eval is called, however, it has to reactivate the parsing procedure and convert the eval()'d code into usable binary format again.
Basically, if you eval() code, it takes as long as calling a new php page with the same code inside.
12-Jul-2004 04:37
Kepp the following Quote in mind:
If eval() is the answer, you're almost certainly asking the
wrong question. -- Rasmus Lerdorf, BDFL of PHP