-1

If I had PHP code in the database, could I "include" that somehow in PHP and execute it? Well, sure I could write out a file with that content and just include that file, but maybe PHP has got something similar to eval() of JavaScript?

openfrog
  • 40,201
  • 65
  • 225
  • 373
  • 5
    Question which actually takes 2 secs to find the answer on google. Did people really get that lazy – LukeP Jan 10 '10 at 19:38
  • So you have the answer and didn't post it? Who is lazy? Many times a Google search turns up StackOverflow with the answer. I wonder how the answer got there... – defines Jan 10 '10 at 19:48
  • @Dustin: I googled for php eval and got php manual page before I posted there were 4 answers on here already. – LukeP Jan 10 '10 at 20:11
  • That's Stack Overflow for ya... :) – Pekka Jan 10 '10 at 21:04
  • I prefer SO over google, for sure. Don't want to read irrelevant matches for every little problem. Causes frustration. Frustration causes less concentration. Less concentration causes more bugs. More bugs cause more frustration. At the end it can really kill you. So it's just better to ask humans, not machines. As long as 90% of my google-attempts fail (I'm really bad at finding appropriate keywords), I prefer asking. Asking is efficient and leads to relevant answers, and for those who love to google, I help a lot through asking. If no one asks, there's no answer for those who search ;-) – openfrog Jan 11 '10 at 15:33

6 Answers6

5

Yes, PHP has eval() too, but it is regarded very bad practice to use it.

This question discusses the major points well, without condemning it totally.

Most often, if eval() comes up, it is worth taking a hard look at the program you're building: There is probably a better way to do it. For example, if you want to fill data values into HTML code that is stored in a data base, a templating engine of some sort might be a better idea.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Yes. @OP, don't miss Roland Bouman's answer below, warning that your other proposed solution has all the same problems as 'eval()'. – grossvogel Jan 10 '10 at 20:52
1

Note that not using eval() but writing out a file from the db and including that will have exactly the same security risk though...the point is not so much to eval() or not to eval() the problem is: what if someone hacks into your database, and has the ability to modify the PHP code? the'd be capable of having your server run their php script, and do what ever they like.

Roland Bouman
  • 31,125
  • 6
  • 66
  • 67
0

There is eval() for PHP. But please, never-ever use it! :D

a.yastreb
  • 1,493
  • 1
  • 10
  • 11
0

Yes!

http://php.net/manual/en/function.eval.php

Erik
  • 20,526
  • 8
  • 45
  • 76
0

You can evaluate some code using the eval function -- but it's generally considered bad practice, and a bit dangerous, to use it.

(Well, actually, it's the same function name as in Javascript ;-) -- and it's bad practice in both languages -- what a coincidence ; or not)


Another solution that is sometimes used is to :

  • have your PHP code in a database
  • fetch it sometimes (not everytime) and store it to a file, used as a caching mecanism
  • include that file -- which will be executed

I've seen some pretty old CMS work this way, for instance... But note they where mostly using files as cache (To not make too many requests to the DB) -- even if it worked quite well.

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
0

What about using file cache? You can always store PHP code temporarly in file and include it. Simple logic with file generation, storing in cache, including correct file and refreshing old files (md5 checksum + file cache made timestamp + modification timestamp). Then just compare both timestamps to know if cache update is needed.

Tomasz
  • 1