Checking variables using the eval()-Function

Question

I have a list of variables (var1, var2, ...). Now I'd like to check these variables using several conditions and print out an error message if the condition is true.

As there are many "checks" that should be done I saved the "conditions" in a MySQL-DB (varchar):

condition               errormsg
--------------------------------------------------------
$var1!=1 && $var1!=2    var1 should be 1 or 2
$var1==''               var1 is missing
$var3<0 & $var3>10      var3 should be between 0 and 10

Now I'd like to check these variables using the eval-Function:

$res=mysqli_query($con, "SELECT * FROM conditions");

while($row=mysqli_fetch_object($res)){
 if(eval($row->condition))
  echo $row->errormsg;
}

Can this work or is there a better solution without eval()? Thank you for your help!

*"Can this work or is there a better solution without `eval()`?"* -- there always is a better alternative to `eval()`, but it requires writing more a lot of code (or maybe there already is a package for that). If you control the conditions **and** filter the values they use then `eval()` could be harmless. Btw, `$var3<0 & $var3>10` should be `$var3<0 && $var3>10`. — axiac, Aug 19 '17 at 18:50
i understand there are many conditions but i don't understand why putting them in the DB is less tedious than writing them in the code directly — inarilo, Aug 19 '17 at 19:12
thank you for your correction. I already corrected it. And which one would be a better alternative? — D. Studer, Aug 19 '17 at 19:13
@inarilo : The reason is that there are error messages in different languages which are also stored in the database. — D. Studer, Aug 19 '17 at 19:14
If you put the conditions in the database you'll end up having different conditions for each language. Let the conditions stay in the code. Write one function for each condition. The function receives as arguments the variables it uses, evaluates the condition and returns a code. One code for success and many codes for error (in fact, each function return a different error code). Let the error message be identified by this codes and store them in files, not in the database. — axiac, Aug 19 '17 at 19:18
ok. btw your first condition should have !=2 and second should use == — inarilo, Aug 19 '17 at 19:19
@axiac You wrote: "If you put the conditions in the database you'll end up having different conditions for each language"? Why this? I have every language in a separate column so that all error messages concerning the same condition are in the same row. — D. Studer, Aug 19 '17 at 19:38
You are right. I thought you have different rows for each language. — axiac, Aug 19 '17 at 19:47

Niklesh Raut · Accepted Answer · 2017-08-20T06:28:32.163

1

Many people suggest to get alternate of this . But if you really need this you can do this way. I don't have your data so I have made this with my own way

 <?php
    $condition = "1!=1";
    //$condition = "1==1";
   $error = "test";
   eval("\$con = $condition ;");
   if($con){
   echo $error;
   }else {
  echo "not found";
  }
?>

Uncomment second line to get another change. Just keep in mind that statement should be complete in eval function.

Live demo : https://eval.in/847626

Pay special attention not to pass any user provided data into it without properly validating it beforehand.

edited Aug 20 '17 at 06:28

answered Aug 19 '17 at 19:12

Niklesh Raut

34,013
16
75
109

1

Thank you, this helped me! Even though eval() might not be a good idea regarding security, in my case there is a limited number of users having access to the website and the conditions-table is not accessible to them either. – D. Studer Aug 19 '17 at 19:41

score 0 · Answer 2 · answered Aug 19 '17 at 19:34

The common solution for your problem is to write validation functions for the variables. Such a function receives a variable as argument, checks its value and return either success or an error code. Then the calling code uses the error code to lookup the error message in the list of localized strings for the current language.

It could be like below:

The validation functions

function var1_is_valid($var1)
{
    if ($var1 == 1 || $var1 == 2) {
        return 'SUCCESS';
    } else {
        return 'ERR_VAR1_INVALID';
    }
}

function var1_is_present($var1)
{
    if ($var1 != '') {
        return 'SUCCESS';
    } else {
        return 'ERR_VAR1_MISSING';
    }
}

function var3_is_valid($var3)
{
    if (0 <= $var3 && $var3 <= 10) {
        return 'SUCCESS';
    } else {
        return 'ERR_VAR3_INVALID';
    }
}

The language file(s)

// Use the strings returned by the validation functions as keys in the array
$lang = array(
    'ERR_VAR1_INVALID' => 'var1 should be 1 or 2',
    'ERR_VAR1_MISSING' => 'var1 is missing',
    'ERR_VAR3_INVALID' => 'var3 should be between 0 and 10',
);

Even better, you can combine the functions var1_is_valid() and var1_is_present() into a single validation function for $var1 that returns either 'SUCCESS' or the appropriate error string.

All the error messages for a language stay in a single language file that is loaded on each request. It works faster than querying the database for the error messages.

Another language means another file with strings identified by the same keys. You won't use two language on the same time. At most, you load the language that is completely implemented before loading the language requested by the user, in order to have a value for each string (a message in the wrong language is still better than nothing).

Thank you very much for your effort! Seems very logical (although not very elegant). How would you call those (let's say 200) validation functions then? var1_is_valid(); var1_is_present(); etc.? — D. Studer, Aug 19 '17 at 19:55

score -1 · Answer 3 · answered Aug 19 '17 at 19:06

-1

You can use a pseudo-switch, eliminating the need for a db and eval(). Minimalistic example:

$var = 1;
switch(true){
    case ($var == 1):
        echo "1\n";
    case ($var != 2):
        echo "2\n";
}

answered Aug 19 '17 at 19:06

rndus2r

496
4
17

The reason I'm using a database is that there are really many "conditions" that should be checked and the error messages are in different languages as well, so it would gets confusing if I write everything in the php-file. – D. Studer Aug 19 '17 at 19:10
Storing your code in a database is a really bad approach, see this: https://stackoverflow.com/questions/41406/how-do-i-execute-php-that-is-stored-in-a-mysql-database Considering your "language" problem, get to know to the MVC concept, e.g. separate your error codes from the code. – rndus2r Aug 19 '17 at 19:14

Checking variables using the eval()-Function

3 Answers3

The validation functions

The language file(s)