Question about eval in PHP 5

Question

I have been doing PHP stuff for almost one year and I have never used the function eval() though I know the usage of it. But I found many questions about it in SO.So can someone show me a simple example in which it's necessary to use eval()?And is it a good or bad practice?

score 10 · Answer 1 · answered Mar 20 '10 at 12:27

10

eval() is necessary to implement a "compiling" template engine, like Smarty, that uses its own language and compiles it down to php on the fly. The main function of such engines is usually something like

 function render_template($path) {
    $code = file_get_contents($path);
    $php = $this->compile_to_php($code);
    eval($php);
 }

Besides that, everytime you use "include" or "require", you're actually using "eval" under the hood - so, actually, eval is one of the mostly used php constructs.

answered Mar 20 '10 at 12:27

user187291

53,363
19
95
127

But it seems to be bad practice if used in our own codes,is it?:) – Young Mar 20 '10 at 13:00
6

Well, I think 99% of people talking about "bad practices" are not able to explain the reasons. They just repeat nonsense they've heard from others. – user187291 Mar 20 '10 at 14:00
Still it's not "necessary", there are other ways to implement it if you want. And to turn "bad practice" into a circular argument: If 99% of the people can't explain the reasons isn't it a safe bet that almost the same amount of people can't decide when (and how) it's safe to use eval() and should stay away from it? – VolkerK Mar 20 '10 at 14:41
+1 for '"bad practices" are not able to explain the reasons. They just repeat nonsense they've heard from others.'. – Jacco Mar 20 '10 at 20:24
+1 for demystification of meaningless phrase "bad practises" - any time when you call `require` or `include` you have actually used eval() under the hood. – Miloš Đakonović Nov 20 '12 at 10:14

score 6 · Accepted Answer · answered Mar 20 '10 at 11:51

Using eval() is a bad practice, and if it turns out to be necessary to achieve something, that is usually the sign of a underlying design error.

I can't think of any situation where it is necessary to use eval(). (i.e. something can't be achieved using other language constructs, or by fixing a broken design.) Interested to see whether any genuine cases come up here where eval actually is necessary or the alternative would be horribly complex.

The only instance of where it could be necessary is for executing code coming from an external source (e.g. database records.) But this is a design error in itself IMO.

Expression parsing, for one. Although rare, I've had to do this some times. Of course, it complex and full expressions, not routine math with at most round bracket support. That said, the usual precautions on eval always apply: they're slow (fixed with caching results), possibly unnecessary (not in my case) and a security issues (the relevant code is, however, run by the sysadmins themselves, thus not an issue). — Christian, Jul 13 '10 at 00:12

score 4 · Answer 3 · answered Mar 20 '10 at 11:52

4

Bad application design is always such an example.

answered Mar 20 '10 at 11:52

Your Common Sense

156,878
40
214
345

score 4 · Answer 4 · answered Mar 20 '10 at 12:07

Well I have used eval once. This was for a system, where the users could enter formulas using constants fished from the underlying system.

A string like:

(N * (G - 2,7)) / E

was taken and the constants replaced with values from the system eval is then used to get a value. eval seemed like the easiest way to go. The statement was filtered to only allow operators and uppercase letters(no two next to each other) so perhaps this is not a "real" use case of eval, but it works and is pretty readable.

That said the system in questing is huge (200k+ lines) and this is the only place that eval is used.

score 3 · Answer 5 · answered Mar 26 '10 at 01:54

A command line php shell is a great example. I guess you could fork the actual php code and write your shell extensions in C instead, but it seems much more sensible to do it in php. Since the person providing the code should already have full access to the system, there's no security issue at all. Once you get php compiled with readline, this sort of thing is actually really useful.

Drupal (optionally) uses eval to allow for ready extensibility. To accomplish this it takes user (generally administrator-only) input of code to be evaluated and stores it in the database. Drupal also has lots of people making sure that there are no security holes.

realmag777 · Answer 6 · 2014-10-09T12:53:29.410

Eval useful for example in such case, as register widgets in cycle in wordpress while creating custom theme:

class PluginusNetWPTF_Widget extends PluginusNetWPTF_Core {

    public static $widgets = array(
        'PLUGINUSNET_RECENT_POSTS_WIDGET' => array(
            'description' => 'Recent posts of selected category',
            'creation' => 'PluginusNet Recent Posts',
            'fields' => array('title' => 'Recent Posts', 'category' => '', 'post_number' => 3, 'show_thumbnail' => 1, 'show_exerpt' => 0),
            'view' => 'recent_posts',
            'form' => 'recent_posts_form'
        ),
            //'PLUGINUSNET_RECENT_POSTS_WIDGET2' => array(),
    );

    public static function register_widgets() {
        foreach (self::$widgets as $widget_class_name => $widget_data) {
            $code = '

class '.$widget_class_name.' extends WP_Widget {

    //Widget Setup
    function __construct() {
        //Basic settings
        $settings = array("classname" => __CLASS__, "description" => __(PluginusNetWPTF_Widget::$widgets[__CLASS__]["description"], PLUGINUSNET_THEME_NAME));

        //Creation
        $this->WP_Widget(__CLASS__, __(PluginusNetWPTF_Widget::$widgets[__CLASS__]["creation"], PLUGINUSNET_THEME_NAME), $settings);
    }

    //Widget view
    function widget($args, $instance) {
        $args["instance"] = $instance;
        echo PluginusNetWPTF_Widget::draw_html("widget/" . PluginusNetWPTF_Widget::$widgets[__CLASS__]["view"], $args);
    }

    //Update widget
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        if (!empty(PluginusNetWPTF_Widget::$widgets[__CLASS__]["fields"])) {
            foreach (PluginusNetWPTF_Widget::$widgets[__CLASS__]["fields"] as $key => $value) {
                $instance[$key] = $new_instance[$key];
            }
        }

        return $instance;
    }

    //Widget form
    function form($instance) {
        //Defaults
        $defaults = PluginusNetWPTF_Widget::$widgets[__CLASS__]["fields"];
        $instance = wp_parse_args((array) $instance, $defaults);
        $args = array();
        $args["instance"] = $instance;
        $args["widget"] = $this;
        echo PluginusNetWPTF_Widget::draw_html("widget/" . PluginusNetWPTF_Widget::$widgets[__CLASS__]["form"], $args);
    }

}

';
            eval($code);
            register_widget($widget_class_name);
        }
    }

}

score 2 · Answer 7 · answered Mar 20 '10 at 12:31

2

Using eval is quite dangerous, if see from security side. Anyway, a lot of template engines use eval, because they should parse page and get some variables or make calculations.

answered Mar 20 '10 at 12:31

kubum

469
2
13

Question about eval in PHP 5

7 Answers7

Linked