PHP Eval That Evaluates HTML & PHP

How to use eval() for php code stored in DB?

Presuming you know how dodgy using eval is..

As long as SITE_URL is defined, it would be fine. Then you would do something like:

<?php
define('SITE_URL', 'http://example.com');

$str = '<p class="card mb-4 shadow-sm"><img src="<?php echo SITE_URL; ?>/assets/images/blog/php.png" alt="php" title="php"></p>';

echo eval('?>'.$str);

https://3v4l.org/EEB54

An alternative to using eval, is to use a template and replace the placeholders with the values you define.

<?php
define('SITE_URL', 'http://example.com');

$vars = [
    'SITE_URL' => SITE_URL    
];

$template = '<p class="card mb-4 shadow-sm"><img src="{{ SITE_URL }}/assets/images/blog/php.png" alt="php" title="php"></p>';

// match any single word with _ or -, with spaces either side or not
// e.g: {{key}} or {{ key }} or {{key-foo}} or {{ key-foo }}
//  not {{ a b c }}
$str = preg_replace_callback("/{{[ ]{0,}([\w\_-]{1,})[ ]{0,}}}/", function ($match) use ($vars) {
    return array_key_exists($match[1], $vars) ? $vars[$match[1]] : '';
}, $template);

echo $str;

https://3v4l.org/cUK5B

Or look into using a template engine if you need more features.

PHP: using the eval function with HTML and PHP code

eval = evil!

Especially if the eval'd code comes from a db... one mysql injection = full php execution = full control.

Rather use some placeholders and replace them (like any other good templating system does).

You could store this in your database:

<h1 class="widgetHeader">My Friends</h1>
<div class="widgetRepeater">            
    <p class="widgetHeader">Random Selection</p>
    {%friendstemplate%}
</div>

Then str_replace the placeholders with the content they should have. In your example i would also add a subtemplate per friend like this:

<span class="friendImage" style="text-align:center;">
    {%username%}
</span>

... which you could loop and insert into {%friendstemplate%}.

Evaluate string as condition PHP

Well, executing arbitrary strings as code has the caveat that you're executing arbitrary code whichever way you do it. There's no better alternative to eval that would let you execute PHP code without… executing PHP code.

The sane way to go here is to define a DSL which gives your users a way to write certain limited expressions which are not PHP code, which you will parse and evaluate with specific limited capabilities.

A good library which does that is Symfony's ExpressionLanguage component. Beyond that you'd go into the domain of language parsers.

Eval in replacing and resolving variables inside a PHP string

In the first case $DATA inside $html is evaluated during the eval(), and at this point $DATA is defined (because, defined before eval()).

In the second case, $DATA is interpolated on this line $html = '<html><body>$DATA</body></html>'; and at this point $DATA is undefined.

$DATA = "<h1>Hi</h1>";
$html = "<html><body>$DATA</body></html>";

The code above works because $DATA is defined before the evaluation.

As @NigelRen pointed out, in the second case, the string use single quotes and variable won't be interpolated inside "single-quoted" strings.

PHP: Equivalent of include using eval

After some more research I found out what was wrong myself. The problem is in the fact that <?php is a "short opening tag" and so will only work if short_open_tag is set to 1 (in php.ini or something to the same effect). The correct full tag is <?php, which has a space after the second p.

As such the proper equivalent of the include is:

eval('?>' . file_get_contents('external.php') . '<?php ');

Alternatively, you can leave the opening tag out all together (as noted in the comments below):

eval('?>' . file_get_contents('external.php'));

My original solution was to add a semicolon, which also works, but looks a lot less clean if you ask me:

eval('?>' . file_get_contents('external.php') . '<?php;');

Using PHP eval() in if statement

As indicated in another answer, eval() returns null in absence of a return value. However, what you're actually looking for is a callback:

Somewhere in your code:

function showUnlisted() {
  return !$price || $car["sale_price"] == 0 || ($priceFrom <= $car["sale_price"] && $priceTo >= $car["sale_price"]);
}

function dontShowUnlisted() {
  return !$price ||($priceFrom <= $car["sale_price"] && $priceTo >= $car["sale_price"]);
}

Then, where you need to decide between these functions:

if ($showUnlisted) {
  $appropriateFunction = 'showUnlisted';
} else {
  $appropriateFunction = 'dontShowUnlisted';
}

if (call_user_func($appropriateFunction)) {
  //do stuff
}

This prevents you from falling prey to the evils of eval, lets you test those functions, utilize IDEs more effectively, and predict the outcome better. Passing functions as objects is a useful thing, and while awkward in PHP, a common practice in more modern languages (Scala, C#, etc.).


Related Topics

PHP Strtotime Returns a 1970 Date When Date Column Is Null

Differencebetween $_Files["File"]["Type"] and End(Explode(".", $_Files["File"]["Name"]))

Call PHP from JavaScript and Return an Array from PHP to JavaScript Function

Get the Selected Index Value of <Select> Tag in PHP

Create Unique Poll/Vote/Survey in PHP

Do I Have to Use MySQL_Real_Escape_String If I Bind Parameters

Fatal Error: Unsupported Operand Types

How to Get the List of Available Locales in PHP

Public Static Variable Value

How to Sort a Multidimensional Array by Multiple Columns

How to Chain Methods in PHP

In PHP, Is There Any Harm in Running Session_Start() Multiple Times

Is There a Call_User_Func() Equivalent to Create a New Class Instance

In PHP, How to Generate a Big Pseudo-Random Number

Php: Change Color of Text Based on $Value

Difference Between Pdo->Query() and Pdo->Exec()

Compare Two Version Strings in PHP

Create a Insert... Select Statement in Laravel


Leave a reply



Submit