Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)
(PHP 4, PHP 5)
eval — Wertet eine Zeichenkette als PHP-Code aus
Wertet die in code_str enthaltene Zeichenkette als PHP-Code aus. Abgesehen von anderen Zwecken kann dies nützlich sein, um Code für eine spätere Ausführung im Textfeld einer Datenbank zu speichern.
Beim Gebrauch von eval() gilt es einige Faktoren zu beachten. Die übergebene Zeichenkette muss gültigen PHP-Code enthalten, einschließlich solcher Dinge wie Anweisungen mit einem Semikolon abzuschließen, damit der Parser nicht in der Zeile nach dem eval() abbricht, und des richtigen Setzens des Escape-Zeichens in code_str. Um HTML-Ausgabe und PHP-Code zu mischen, können Sie zum Verlassen des PHP-Codes das schließende PHP-Tag verwenden.
Beachten Sie, dass die innerhalb von eval() vorgenommenen Variablen-Zuweisungen nach Abarbeitung auch im Hauptskript ihre Gültigkeit behalten.
Die Code-Zeichenkette, die ausgewertet werden soll. code_str muss keine öffnenden PHP-Tags enthalten.
Eine return-Anweisung beendet die Auswertung der Zeichenkette sofort.
eval() gibt NULL zurück, außer wenn im ausgewerteten Code return aufgerufen wird, dann aber wird der an return übergebene Wert zurückgegeben. Falls im ausgewerteten Code ein Parse Error auftritt, gibt eval() FALSE zurück und der weitere Code wird normal ausgeführt. Es ist in eval() nicht möglich, einen Parse Error mittels set_error_handler() abzufangen.
Beispiel #1 eval() Beispiel (einfache Texteinfügung)
<?php
$string = 'Bierglas';
$name = 'Binding-Lager';
$str = 'Das ist mein $string, voll mit $name.';
echo $str . "\n";
eval ("\$str = \"$str\";");
echo $str . "\n";
?>
Das oben gezeigte Beispiel erzeugt folgende Ausgabe:
Das ist mein $string, voll mit $name. Das ist mein Bierglas, voll mit Binding-Lager.
Hinweis: Da dies ein Sprachkonstrukt und keine Funktion ist, können Sie dieses nicht mit Variablenfunktionen verwenden.
Bei allem, dessen Ergebnisausgabe direkt im Browser angezeigt wird, können Sie die Funktionen zur Ausgabesteuerung verwenden. Damit lässt sich die Ausgabe dieser Funktion erfassen, und - zum Beispiel - in einem string speichern.
Hinweis:
Im Fall eines schweren Fehlers im augewerteten Code wird das komplette Skript beendet.
When using the eval() function like
eval('?>' . $data['content'] . '<?');
Please be sure to check that the short_open_tag is on in php.ini. Otherwise it will append the opening tag to the string.
If you are using eval function like
eval('?>' . $data['content'] . '<?php'); and you have short_open_tag on there will be parse error. So if it is required to use function like this turn off short_open_tags.
Also it is advisable to put a space after <?php to avoid any accidental error.
An alternative to using eval to mimic include - is to just use include on an in-memory stream. This allows a user-cooked class to pretend it is a stream, so methods which expect a stream or URL will be happy (like include)
i) register a global variable stream wrapper using stream_wrapper_register(). (search the man page for "Example class registered as stream wrapper")
ii) use file_get_contents (or db read or...) to read your php script into a global variable.
eg
$GLOBALS['yourvar']=file_get_contents('somefile.php');
iii) call include with the URL you registered. Using the example wrapper above:
include 'var://yourvar';
Easy as. Not a magic regexp in sight! Enjoy.
To catch a parse error in eval()'ed code with a custom error handler, use error_get_last() (PHP >= 5.2.0).
<?php
$return = eval( 'parse error' );
if ( $return === false && ( $error = error_get_last() ) ) {
myErrorHandler( $error['type'], $error['message'], $error['file'], $error['line'], null );
// Since the "execution of the following code continues normally", as stated in the manual,
// we still have to exit explicitly in case of an error
exit;
}
?>
Please note that using
eval( 'return TRUE;?>' . $sPhpCode );
is not safe to check if syntax is correct... as this will procuce a fatal error (uncatchable)....
eval( 'return TRUE;?><?php empty( function($var) ); ?>' );
using empty() on a non-pure variable will produce a
compilation error!
The following code
<?php
eval( '?> foo <?php' );
?>
does not throw any error, but prints the opening tag.
Adding a space after the open tag fixes it:
<?php
eval( '?> foo <?php ' );
?>
Please note that when you do something like this:
<?php
eval('?>' . $code . '<?');
?>
You must end it with '<?' because the following will give you a parse error:
<?php
eval('?>' . $code . '<?php');
?>
Somehow eval() only likes PHP opening short-tag AKA '<?' but fails with '<?php'
A simple use of eval:
Sometimes you want to know both the value of a variable being passed to a function and its name. Passing by reference can get you there, but only through a lot of convolutions (as far as I can tell!)
But by using the stem of a variable's name, there are two methods to achieve this.
Say that
<?php
$emailName="me@example.com";
?>
You can pass this information thusly:
First, if you have the stem, "emailName', in a string var
<?php
$theVarStem="emailName";
?>
you can recover the value of the original variable like this:
<?php
$theVarValue=eval("return \$$theVarStem;");
?>
Using 'return' inside the eval is the trick that makes it work - something inherent in the documentation but not at all obvious to me.
Unless $emailName has global scope, this method won't work inside a function. For that purpose, you can do the following:
<?php
myFunction(compact("emailName"))
function myFunction($theInfo)
{
$theVarStem=key($theInfo);
$theVarValue=current($theInfo);
//...
}
?>
I apologize if all this seems too obvious: it took me a lotta sloggin' to figure it out.
Inspired from the users microvalen at NOSPAM dot microvalen dot com and javis, i combined their notes and came up with a very simple "template engine", for testing purposes (to save the time and trouble of downloading and including a real template engine like the Smarty):
<?php
$var = 'dynamic content';
echo eval('?>' . file_get_contents('template.phtml') . '<?');
?>
and the template.phtml:
<html>
<head>
<!-- ... -->
</head>
<body>
<!-- ... -->
<?=$var?>
<!-- ... -->
</body>
</html>
This is something i use a lot (specially when studying new PHP Libraries or trying new jQuery plugins) and i think it might help others too.
eval and namespace
For those who wonder: since eval executes the code in another context than the current script, it is possible to evaluate code that uses a particular namespace without changing the current one (and it does not trigger an error if there is no namespace and the evaluated one is not at the top of the script).
Exemple:
<?php
namespace Foo;
echo 'namespace 1: '.__NAMESPACE__."\n";
eval('namespace Bar;
class BarClass {}
echo \'namespace 2: \'.__NAMESPACE__."\n";');
echo 'namespace 1 again: '.__NAMESPACE__."\n";
?>
output:
namespace 1: Foo
namespace 2: Bar
namespace 1 again: Foo
And it will create the class Bar\BarClass.
Also, the eval code will not belong to the namespace of the code that do the eval:
<?php
namespace Foo;
echo 'namespace 1: '.__NAMESPACE__."\n";
eval('class BarClass {}
echo \'namespace 2: \'.__NAMESPACE__."\n";');
?>
output:
namespace 1: Foo
namespace 2: // global namespace
Fixed matheval function when percentage is less than 10:
<?php
function matheval($equation)
{
$equation = preg_replace("/[^0-9+\-.*\/()%]/","",$equation);
// fix percentage calcul when percentage value < 10
$equation = preg_replace("/([+-])([0-9]{1})(%)/","*(1\$1.0\$2)",$equation);
// calc percentage
$equation = preg_replace("/([+-])([0-9]+)(%)/","*(1\$1.\$2)",$equation);
// you could use str_replace on this next line
// if you really, really want to fine-tune this equation
$equation = preg_replace("/([0-9]+)(%)/",".\$1",$equation);
if ( $equation == "" )
{
$return = 0;
}
else
{
eval("\$return=" . $equation . ";" );
}
return $return;
}
?>
Never, Never ever forget the ";" on the end of the eval string, if you are adding it to eval a variable attribuition;
<?php
$data = "$key"."_$sequence";
eval("\$idct=\$idedit_$data;");
?>
we took a long time to discover that the problem was a ";" missing in the end.
I updated my code because there are many abuses of the function eval() in phpscripts to break security, privacy, to perform callbacks, to execute commands on the server by remote. This could not be allowed in a professional environment which often deals with sensitive, important or financial data.
Code obfuscation is not a safe solution to protect Your source at all. As I do disagree with some programmers to use any ( ! ) solution to encrypt php code. I advocate to not scramble code and to not implement call home events (which hit the firewall or reverse proxy anyway). Call backs do violate privacy of the user. It can be considered as spyware, theft of information. All serverside code should be readable to to verify if no sensitive information is transfered to the vendor or to verify it is not malware. Running scrambled code is as dangerous as to run a server without any security measures. That's why some hosting providers refuse to run scrambled code on their servers. As programmer, the best way You can do is to create many revisions of Your code, as to provide additional plugins, services and support for registered users. So do not encrypt a single line of code at all, do follow the opensource standard and do respect privacy and the right of verification of the user of your scripts.
So here is an updated version, to use with PHP-CLI If it fails in the process, You can invoke with the verbose option so You can follow the process and alter this code.
----- snippet denest.php.sh -----------
#!/usr/bin/php
<?php
// FILE: denest.php.sh
// perform chmod +x denest.php.sh
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <webmaster@purechocolates.com>\n\n";
/* invokation php-cli: #php denest.php <your_nested_script.php> <verbose empty,0=OFF 1=ON> */
$filename_full = $argv[1];
$verbose = (bool) $argv[2];
$filename_base = basename ($filename_full,'.php');
$content = "";
echo "Using: ".$filename_base.".php\n";
echo "Read...\n";
$fp1 = fopen ($filename_full, "r");
$content = fread ($fp1, filesize ($filename_full));
fclose($fp1);
echo "Decode...\n";
while ( is_nested($content) ) $content=denest($content);
dump($content,TRUE);
function is_nested ($text) {
return preg_match("/eval\(gzinflate/",$text);
}
function denest ($text) {
global $verbose;
$text=preg_replace("/<\?php|<\?|\?>/", "", $text);
if ($verbose) dump ($text,FALSE);
eval(preg_replace("/eval/", "\$text=", $text));
if ($verbose) dump ($text,FALSE);
return $text;
}
function dump ($text,$final) {
static $counter = 0 ;
global $filename_base;
$filename_new = ($final) ? ($filename_base.".done.php") : ($filename_base.".".sprintf("%04d", ++$counter).".php");
echo "Writing ".$filename_new."\n";
$fp2 = fopen($filename_new,"w");
fwrite($fp2, trim($text));
fclose($fp2);
}
?>
----- snippet denest.php.sh -----------
very simple example to includea html file:
<?php
$simple_var = 'This is a simple var';
eval("\$file=\"" . addslashes(implode("", file("test.html"))) . "\";");
print $file;
?>
and the html:
<body>
$simple_var
</body>
you can actually run strings with html and php code. To do that you need to append ?> and <? simbols like this:
<?php eval("?>" . $code . "<?"); ?>
Magic constants like __FILE__ may not return what you expect if used inside eval()'d code. Instead, it'll answer something like "c:\directory\filename.php(123) : eval()'d code" (under Windows, obviously, checked with PHP5.2.6) - which can still be processed with a function like preg_replace to receive the filename of the file containing the eval().
Example:
<?php
$filename = preg_replace('@\(.*\(.*$@', '', __FILE__);
echo $filename;
?>
<?php
function safe_eval($code,&$status) { //status 0=failed,1=all clear
//Signs
//Can't assign stuff
$bl_signs = array("=");
//Language constructs
$bl_constructs = array("print","echo","require","include","if","else",
"while","for","switch","exit","break");
//Functions
$funcs = get_defined_functions();
$funcs = array_merge($funcs['internal'],$funcs['user']);
//Functions allowed
//Math cant be evil, can it?
$whitelist = array("pow","exp","abs","sin","cos","tan");
//Remove whitelist elements
foreach($whitelist as $f) {
unset($funcs[array_search($f,$funcs)]);
}
//Append '(' to prevent confusion (e.g. array() and array_fill())
foreach($funcs as $key => $val) {
$funcs[$key] = $val."(";
}
$blacklist = array_merge($bl_signs,$bl_constructs,$funcs);
//Check
$status=1;
foreach($blacklist as $nono) {
if(strpos($code,$nono) !== false) {
$status = 0;
return 0;
}
}
//Eval
return @eval($code);
}
?>
Note: Try to include this after all of your other self-defined functions and consider whether the blacklist is appropriate for your purpose
I wouldn't recommend this function if you're going to use eval extensively in your script. However, it's worth a try if you are going to put user input into eval
eval vs include
i have to make a script to take code from a database and excute it, but i'm not sure is eval was hight server load than include, so i take the example of Luke at chaoticlogic dot net and test it, the results are great for eval:
test.php
<?php
//establish a blank integer
$increment=0;
//establish the code to be executed
//one hundred million times
$code="\$increment++;";
//remember the time this test started
$started=time();
//execute $code on hundred million times
for ($i=0;$i<100000;$i++) {
eval($code);
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Eval()ed code took $spent seconds to execute 100,000 times.\n";
//re-establish that same blank integer
$increment=0;
//remember the time this second test
//started
$started=time();
//execute the test again, with
//pre-parsed code
for ($i=0;$i<100000;$i++) {
include("increment.php");
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Included file with Pre-parsed code took $spent seconds to execute 100,000 times.\n";
?>
increment.php
<?php
$increment++;
?>
Eval()ed code took 0 seconds to execute 100,000 times. Included file with Pre-parsed code took 17 seconds to execute 100,000 times.
i change 100,000,000 for 100,000 because the script take so much time
One thing to note is that an exit() call inside an eval() exits the entire script, *not* just the eval(), which is what you'd expect if you've ever used eval() in any other language. This makes it somewhat useless in my opinion.
Finally, a good use for eval :)!
If you want to be able to check for syntax errors WITHOUT executing the code, add "return true;" before all the code. All execution of the code stops after that mark, and makes eval returns true on no syntax errors, and false on syntax errors.
This is especially useful for anyone making a template system.
Here's a working example:
<?php
function check_syntax($code) {
return @eval('return true;' . $code);
}
print "<b>No Code execution:</b><br />\n";
$code = "print \"<b><i>hello! you don't want me...</i></b><br />\n\";";
var_dump(check_syntax($code)); // Good syntax
print "<br />\n";
var_dump(check_syntax($code . ' ==')); // Bad syntax
print "<br />\n";
print "<b>Code Executed...Bad</b>:<br />\n";
var_dump(eval($code) === null); // Good syntax
print "<br />\n";
var_dump(@eval($code . ' ==') === null); // Bad syntax
?>
<?php
$hello[2][4][6][8][10] = 'this is a test';
$w = "[2]";
$o = "[4]";
$r = "[6]";
$l = "[8]";
$d = "[10]";
echo 'hello, '.eval("return \$hello$w$o$r$l$d;");
?>
The above will output:
hello, this is a test
eval does not work reliably in conjunction with global, at least not in the cygwin port version.
So:
<?PHP
class foo {
//my class...
}
function load_module($module) {
eval("global \$".$module."_var;");
eval("\$".$module."_var=&new foo();");
//various stuff ... ...
}
load_module("foo");
?>
becomes to working:
<?PHP
class foo {
//my class...
}
function load_module($module) {
eval('$GLOBALS["'.$module.'_var"]=&new foo();');
//various stuff ... ...
}
load_module("foo");
?>
Note in the 2nd example, you _always_ need to use $GLOBALS[$module] to access the variable!
The EVAL function can be used as a fast Template system.
<?php
function parseTemplate($template, $params=array()) {
foreach ($params as $k=>$v) {
$$k = $v;
}
ob_start();
eval("?>" . implode("", file($template)) . "<?");
$c = ob_get_contents();
ob_end_flush();
return $c;
}
?>
Example:
<?php
echo parseTemplate("myTemplate.php", array('account'=>$row));
?>
and myTemplate.php can be like
<?php foreach($account as $k=>$v) : ?>
<?php echo $k; ?>: <?php echo $v; ?>
<?php endforeach; ?>
It seems that the Magic constants (http://www.php.net/manual/en/language.constants.predefined.php) do NOT work in an eval()'ed code.
Probably because PHP substitutes these statically when it compiles the source code of your PHP script initially.
So the following will not work as expected:
<?php
function user_func1() {
echo "User function name: ".__FUNCTION__."\n";
eval('echo "in eval(): User function name: ".__FUNCTION__."\n";');
}
?>
Calling user_func1() will output:
User function name: user_func1
User function name:
I thought it was pertinent to demonstrate just how slow the eval() function is when compared to pre-parsed code, so I wrote this.
In my case, it took 54 seconds to execute the code 100,000,000 times through eval(), and only 4 seconds with pre-parsed code.
<?php
//establish a blank integer
$increment=0;
//establish the code to be executed
//one hundred million times
$code="\$increment++;";
//remember the time this test started
$started=time();
//execute $code on hundred million times
for ($i=0;$i<10000000;$i++) {
eval($code);
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Eval()ed code took $spent seconds to execute 100,000,000 times.\n";
//re-establish that same blank integer
$increment=0;
//remember the time this second test
//started
$started=time();
//execute the test again, with
//pre-parsed code
for ($i=0;$i<10000000;$i++) {
$increment++;
}
//find out how long it took, in
//seconds
$ended=time();
$spent=$ended-$started;
//tell the user this
print "Pre-parsed code took $spent seconds to execute 100,000,000 times.\n";
?>
I wish there was some way to parse code, store the pre-parsed binary in a variable, and then tell PHP to execute that variable as if it was part of the program.
If you attempt to call a user defined function in eval() and .php files are obfuscated by Zend encoder, it will result in a fatal error.
Use a call_user_func() inside eval() to call your personal hand made functions.
This is user function
<?php
function square_it($nmb)
{
return $nmb * $nmb;
}
?>
//Checking if eval sees it?
<?php
$code = var_export( function_exists('square_it') );
eval( $code ); //returns TRUE - so yes it does!
?>
This will result in a fatal error:
PHP Fatal error: Call to undefined function square_it()
<?php
$code = 'echo square_it(55);' ;
eval( $code );
?>
This will work
<?php
$code = 'echo call_user_func(\'square_it\', 55);' ;
eval( $code );
?>
A wonderful world of eval() applications
You certainly know how to simulate an array as a constant using eval(), not ? See the code below:
<?php
if( ! defined('MY_ARRAY') )
{
define( 'MY_ARRAY' , 'return ' . var_export( array( 1, 2, 3, 4, 5 ) , true ) . ';' );
}
?>
And far, far away in your code...
<?php
$my_array = eval( MY_ARRAY );
?>
But the grandeur of eval is when you use it to customize some method of a class :
<?php
if( ! class_exists( 'my_class' ) )
{
class my_class
{
//private propreties
var $_prop;
var $_custom_check = 'return true;'; //of course, I want a default check code that return true
//PHP4 constructor
function my_class()
{
$this -> _prop = eval( MY_ARRAY );
}
function customize_check( $code )
{
$this -> _custom_check = $code;
}
function check( $val )
{
return eval( $this -> _custom_check );
}
}
}
$my_class = new my_class();
$check = 'return in_array( $val , $this -> _prop , true );';
$my_class -> customize_check( $check );
print '<pre>';
if( $my_class -> check( 1 ) )
{
echo '1 is checked as true.' . "\n";
}
else
{
echo '1 is checked as false.' . "\n";
}
//show: 1 is checked as true.
if( $my_class -> check( '1' ) )
{
echo '"1" is checked as true.' . "\n";
}
else
{
echo '"1" is checked as false.' . "\n";
}
//show: "1" is checked as false.
print '</pre>';
?>
The application of eval() using propreties of a class gives you so much possibilities...
Of course, combinate with a safer eval code, will be better but if you use it only in your code ( for framework project by example ) that's note necessary...
Have fun.
Safer Eval
eval() is used way to often. It slows down code, makes it harder to maintain and it created security risks. However, sometimes, I found myself wishing I could allow some user-controlled scripting in my software, without giving access to dangerous functions.
That's what the following class does: it uses PHP's tokenizer to parse a script, compares every function call against a list of allowed functions. Only if the script is "clean", it gets eval'd.
<?php
class SaferScript {
var $source, $allowedCalls;
function SaferScript($scriptText) {
$this->source = $scriptText;
$this->allowedCalls = array();
}
function allowHarmlessCalls() {
$this->allowedCalls = explode(',',
'explode,implode,date,time,round,trunc,rand,ceil,floor,srand,'.
'strtolower,strtoupper,substr,stristr,strpos,print,print_r');
}
function parse() {
$this->parseErrors = array();
$tokens = token_get_all('<?'.'php '.$this->source.' ?'.'>');
$vcall = '';
foreach ($tokens as $token) {
if (is_array($token)) {
$id = $token[0];
switch ($id) {
case(T_VARIABLE): { $vcall .= 'v'; break; }
case(T_STRING): { $vcall .= 's'; }
case(T_REQUIRE_ONCE): case(T_REQUIRE): case(T_NEW): case(T_RETURN):
case(T_BREAK): case(T_CATCH): case(T_CLONE): case(T_EXIT):
case(T_PRINT): case(T_GLOBAL): case(T_ECHO): case(T_INCLUDE_ONCE):
case(T_INCLUDE): case(T_EVAL): case(T_FUNCTION): {
if (array_search($token[1], $this->allowedCalls) === false)
$this->parseErrors[] = 'illegal call: '.$token[1];
}
}
}
else
$vcall .= $token;
}
if (stristr($vcall, 'v(') != '')
$this->parseErrors[] = array('illegal dynamic function call');
return($this->parseErrors);
}
function execute($parameters = array()) {
foreach ($parameters as $k => $v)
$$k = $v;
if (sizeof($this->parseErrors) == 0)
eval($this->source);
else
print('cannot execute, script contains errors');
}
}
?>
Usage example:
<?php
$ls = new SaferScript('horribleCode();');
$ls->allowHarmlessCalls();
print_r($ls->parse());
$ls->execute();
?>
Of course it is not entirely safe, but it's a start ;-)
Since JSON started becoming popular. I've started applying the same idea to PHP arrays. Its an alternative to using XML or CSV. For example:
<?php
$from_external_source = '( "a" => "1", "b" => array( "b1" => "2", "b2" => "3" ) )';
eval( '$external_source_as_array = array'.$from_external_source.';' );
if ( is_array( $external_source_as_array ) ) {
// now you can work with the external source as an array
print_r( $external_source_as_array );
}
?>
It can be less verbose than XML, but provide more meta data than CSV, and unlike CSV, data ordering is not an issue.
I used it when I wanted to store log data externally in a text file.
Kai
Errors that occur in evaluated code are hard to catch. burninleo at gmx dot net posted some code below that will buffer the output of the evaluated code and search the output for errors. Another way you can do this would be using a custom error handler that's only in effect during the eval() of the code. A very (very) crude example:
<?php
$errors = array();
function error_hndl($errno, $errstr) {
global $errors;
$errors[] = array("errno"=>$errno, "errstr"=>$errstr);
}
function evale ($code) {
global $errors;
$errors = array();
$orig_hndl = set_error_handler("error_hndl");
eval($code);
restore_error_handler();
}
evale('print("foo" . $bar);'); // Undefined variable: bar
var_dump($errors);
//fooarray(1) {
// [0]=>
// array(2) {
// ["errno"]=>
// int(8)
// ["errstr"]=>
// string(23) "Undefined variable: bar"
// }
//}
?>
This will however not catch syntax errors in the code you're trying to eval. This can cause your script to stop with a fatal error inside the eval(). You can catch syntax errors using the Parsekit PECL extension. The parsekit_compile_string() function will try to compile a piece of PHP code and will catch syntax errors if they occur. To extend the earlier piece of code:
<?php
$errors = array();
function error_hndl($errno, $errstr) {
global $errors;
$errors[] = array("errno"=>$errno, "errstr"=>$errstr);
}
function evale ($code) {
global $errors;
$errors = array(); // Reset errors
$orig_hndl = set_error_handler("error_hndl");
if (parsekit_compile_string($code, &$errors, PARSEKIT_QUIET)) {
eval($code);
}
restore_error_handler();
if (count($errors) > 0) {
return(false);
} else {
return(true);
}
}
if (!evale('print("foo . $bar);')) { // syntax error, unexpected $end (no closing double quote)
var_dump($errors);
}
?>
(NOTE: Please do not use the code above directly in your program. It's merely a proof-of-concept).
If you are trying to get eval() to run a string as if it were from an include file, try this:
<?php eval("?>".$string); ?>
Eval starts in PHP Script mode, break into html mode first thing and you're done.
Well let me just start off by saying that eval(); confused the heck out of me untill I read that you can use Return.
This will help anyone who wants to "Inject" code into an IF statement. My example is a survey site, some questions are required, some are only required if others are checked. So let me share with you my dynamic script and show you how I was able to make a Dynamic IF Statement.
The code below had been altered to be understandable.
<?php
$survey_number = 3 // The third survey. (Out of 10 Surveys)
$rq[3] = array(1,2,3,4,5,6,8,9,11,13,15,17,19,20); // Required Questions for Survey 3 - Some of these can not be "NULL" (not NULL) or they will stop the script from going any further. (In my script I replaced any questions that were not answered with "NULL" using a for loop based on the number of questions in the survey)
$aa[3][4] = ' && '.$q[3].' == "1"'; // Added Arguments - 3 = Survey 3's Arguments, 4= Argument belongs to question 4, $q[1-20] (20 Questions total in this case.
//HERE IS THE DYNAMIC IF STATEMENT
$count = count($rq[$survey_number]);
for ($i=0;$i< $count;$i++)
{
$if_statement = '$q['.$rq[$survey_number][$i].'] == "NULL"';
if(isset($aa[$survey_number][$rq[$survey_number][$i]]))
{
$if_statement .= $aa[$survey_number][$rq[$survey_number][$i]];
}
if(eval("return ".$if_statement.";"))
{
echo $rq[$survey_number][$i].': Is NULL and IS NOT ok.<br>';
}
else
{
echo $rq[$survey_number][$i].': Is NULL and IS ok.<br>';
}
}
?>
In my experiance with this the Added Argument needs to have an actual value inplanted into the string, it did not work by just putting $q[3], i had to use '.$q[3].' to place the value of question 3 in the string.
I hope this help someone, I spent so much time trying to figure this out and want to share how something this simple is done.
Thank you.
I was trying to build a multidimensional array to an unknown dimension (within a loop or "while") and found that eval is, as far as I can tell, the only simple way to solve the problem.
<?php
$arr = array(2,
array("v", "q", 5,
array(5, 8, "g"),
"x"));
$i=3;
$key1 = "[1]";
$key2 = "[".$i."]"; // E.g., could build this conditionally within a loop
$key3 = "[2]";
$keys = $key1.$key2.$key3; // Can add as many keys as needed (could be done instead via a loop with repeated calls to .= )
print $arr{$keys}; // This does not work
print $arr[$keys]; // This also does not work
// However...
eval("\$value = \$arr{$keys};");
print $value; // Correctly prints "g"
?>
The only way to retreive information on parse errors in eval'd code seems to be the output buffering.
<?PHP
// Append a return true to php-code to check on errors
$code.= "\nreturn true;";
// Send any output to buffer
ob_start();
// Do eval()
$check = eval($code);
$output = ob_get_contents();
ob_end_clean();
// Send output or report errors
if ($check === true) {
echo $output;
} else {
// Manually parse output for errors and
// generate usable information for the user
// especially content of error-lines.
$pattern = '/^\s*Parse error\s*:(.+) in (.+) on line (\d+)\s*$/m';
etc ...
}
Might you have to do eval in if statements, you will find it's quite some task to make it work.
The only way to make it work is to make a reference to the eval'd variable. This example will show the different usage of eval in if-statements. It simply becomes clear that an eval() in an if() is not working as you want to.
<?php
$total2=5;
$total3=0;
$i=2;
if (eval("\$total".$i.";")) {
echo "eval: total2 is full<br>";
} else {
echo "eval: total2 is empty<br>";
}
// returns "empty"
// eval without the ";" will generate a warning
$str="\$refer=&\$total".$i.";";
eval($str);
if ($refer) {
echo "eval: total2 is full<br>";
} else {
echo "eval: total2 is empty<br>";
}
// returns "full"
?>
The eval function can be misused for Cross Site Scripting(XSS) as well. Les say we have this very trivial page that allows a user to enter a text and see it formated using different styles. If the site designer was lazy and used eval function to come up with somethig like this:
<?php
$mytxt = $_GET["text"];
$strFormats = array( '<h1>$mytxt</h1>',
'<h2>$mytxt</h2>',
'<span class="style1">$mytxt</span>'); //so on
foreach ($strFormats as $style){
eval("echo $style;");
}
?>
This page could be a target for XSS, because user input is not validated. So the hacker could enter any valid PHP commands and the site will execute it. Imagine what could happen if the injected script reads files like config.php and passed it to the hacker's site.
If the file permissions are not set correctly, the injected script could modify the current script. A form's action parameter can be set to a hacker's site or worse every transaction could be secretly posted to another website from within the server. Injected script could be something like this:
<?php
$filename=basename($_SERVER['PHP_SELF']);
$fp = fopen($filename, "a");
$str = echo "<!-- XSS Vulnerability-->"; // could be any PHP command
fwrite($fp, $str);
fclose($fp);
?>
The golden rule is don't trust the user. Always validate data from the client side.
eval() is used to protect (read: hide) source code. A well known way to encrypt some php code is security through obscurity. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.
E.g.
<?php
eval(gzinflate(base64_decode('AjHRawIHG1ypUpudV.....')));
?>
However this can be decoded in this way:
<?php
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}
echo "3. Writing decoded.txt\n";
$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>
To simulate the register_globals setting in php.ini, you must put it in the top of your php page:
<?php
function rg() {
$ar = array($_POST, $_GET, $_SESSION, $_SERVER);
foreach($ar as $ar_) {
foreach($ar_as $key => $value) {
eval("\$" . $key . " = \"" . $value . "\";");
}
}
}
?>
to load a php file to a variable then execute it, try this
<?php
$code=file_get_contents("file.php");
$code=str_replace('<'.'?php','<'.'?',$code);
$code='?'.'>'.trim($code).'<'.'?';
eval($code);
?>
using < ?php within eval does not work, but < ? does. in case there is html in the file loaded, the script doesn't remove the < ?php and ? >, but insted adds ? > and < ? around the code loaded from the file. it's simple and works very well. I also broke up the tags in the 3rd and 4th lines of code to keep from having problems if the lines are commented out.
I m going to give you my recent exploration about eval. I think you dont need all those complex functions using regex to work HTML in your code. when ever you call eval(), php thinks that it is within <? ?> tags. so all the problem rises. to solve the problem just close your php tag at first of the HTML string, then write the HTML string and then start the php tag.
this is some thing like:
<?php
$teststr="?><html><body>this is the test</body></html><?php";
eval($teststr);
?>
i think this will work for you. at least this worked for me. if you find any problem with this please reply
If you send headers after you call the eval() function, you may get this error:
PHP Error: (2) Cannot modify header information - headers already sent by (output started at something...)
In this case, surround your call to eval() with calls to some ob functions:
<?php
$eval = "some code you want to execute";
ob_start();
eval($eval);
ob_end_clean();
?>
This function will take any combination of HTML and (properly opened and closed)PHP that is given in a string, and return a value that is the HTML and the RESULT of that PHP code and return them both combined in the order that they were originally written.
I tried using both the eval_html(gave me carp about using 's and "s in the HTML) and html_eval2(gave me the results of the PHP first, then all of the HTML afterwards) posted by the other users on this function's notes, but for some reason, neither of them would really work the way I had understood that they would work,(or in the case of some of my code, work at all)
So I combined the best of what I saw in both, and created eval_html3
<?php
function my_eval($arr) {
return ('echo stripslashes("'.addslashes($arr[0]).'");');
}
function eval_html3($string) {
$string = '<?php ?>'.$string.'<?php ?>';
$string = str_replace( '?>', '', str_replace( array( '<?php', '<?' ), '', preg_replace_callback( "/\?>(.*?)(<\?php|<\?)/", "my_eval", $string ) ) );
return eval($string);
}
?>
Good luck!
I used eval() to restore a user's session data. I stored $_SESSION to a field in a database as
<?php
addslashes(var_export($_SESSION, TRUE))
?>
To restore it, I executed this code:
<?php
eval("\$_SESSION = $session;");
// $session being the first line of code above
?>
Voila! Session restored.
Without eval(), $_SESSION = $session would have resulted in $_SESSION being a string instead of an array.
<?php
$foo1 = "the good,<br>";
$foo2 = "the bad,<br>";
$foo3 = "the ugly.";
for ($i=1; $i <=3; $i++)
{
eval("\$_SESSION['myVar$i'] = \$foo".$i.";");
}
//use below to show what's in session:
echo "<h3>SESSION</h3>";
echo "<table border=1 width=50%>";
echo "<tr bgcolor=\"#3399FF\">";
echo "<td><b><font color=\"#FFFFFF\">Variable Name</font></b></td>";
echo "<td><b><font color=\"#FFFFFF\">Value</font></b></td></tr>";
while(list($key, $val) = each($_SESSION))
{
echo "<tr><td>$key</td><td><b>$val</b></td></tr>";
}
echo "</table>";
die();
/*---------------------------------------------------------
Prints:
myVar1 the good,
myVar2 the bad,
myVar3 the ugly.
*/
?>
Using the html_eval() some notes above I experienced problems related to *dirty* html. This function is less critical:
<?php
function html_eval2($string) {
return preg_replace_callback("/<\?php(.*?)\?>/","my_eval",$string);
}
function my_eval($arr) {
return eval($arr[1]);
}
?>
Timo
To use eval output as a variable without the user seeing the output, use this:
<?php
ob_start();
eval("whatever you want");
$eval_buffer = ob_get_contents();
ob_end_clean();
echo $eval_buffer;
?>
Everything that eval produces will now be stored inside $eval_buffer.
a cool way to use eval is to convert strings into variable names.
this is a subsitute for using arrays.
look at this code:
<?php
for($a=1; $a<=5; $a++){
eval("$"."variable".$a."=".$a.";");
}
?>
this will create variables called variable1, variable2, and so on, that are equal to 1, 2, and so on.
i recently used this to help a friend make a Flash game that sent variables like that to PHP.
Just a note when using eval and expecting return values - the eval()'ed string must do the returning. Take the following example script:
<?php
function ReturnArray()
{
return array("foo"=>1, "bar"=>2);
}
$test = eval("ReturnArray();");
print("Got back $test (".count($test).")\n");
$test = eval("return ReturnArray();");
print("Got back $test (".count($test).")\n");
?>
You will get back:
Got back (0)
Got back Array (2)
This ran me afoul for a little bit, but is the way eval() is supposed to work (eval is evaluating a new PHP script).
Using eval inside loops is very slow, so try avoiding code like
<?php
for($i=0;$i<10;$i++) {
eval('do_something()');
}
?>
If you absolutely have to, include the entire loop in eval:
<?php
eval('for($i=0;$i<10;$i++) {'.
'do_something();'.
'}');
?>
Eval can't be used as a callback function so if you want to use the eval function name dynamically use this simple work around:
<?php
if ($function_name == "eval")
{
eval($stuff);
}
else
{
$function_name($stuff);
}
?>
The eval function becomes incredibly useful when dealing with static class members and variables.
For instance:
Lets say you have 3 classes; Foo, BarA and BarB, where BarA and BarB are children of Foo.
Now lets also say that both BarA and BarB contain a static member function called getDataSource().
To call getDataSource() you would have to use the syntax:
<?php
BarA::getDataSource();
BarB::getDataSource();
?>
But lets say you need to access getDataSource() from inside class Foo during an instance of either BarA or BarB.
You can use eval to do something like this:
<?php
eval('$dataSource=' . get_class($this) . '::getDataSource();');
?>
An obvious security reminder, which I think wasn't yet mentioned here. Special care is required when variables entered by the user are passed to the eval() function. You should validate those user inputs, and really make sure they have the format you expect.
E.g., if you evaluate math expressions with something like
<?php
eval("\$result = $equation;");
?>
without any check on the $equation variable, a bad user could enter in the $equation field
""; echo file_get_contents('/etc/passwd')
- or whatever PHP code he wants! - which would evaluate to
<?php
$result = ""; echo file_get_contents('/etc/passwd');
?>
and seriously compromising your security!
This is a small code that uses 'eval' with a foreach (maybe 'for' loop), to fill variables. This is very useful in some hard situations:
<html><title>for loop</title><body><p align=center>
<?php
$thing = array("a","b","c");
$a = "bah" ; $b = "bleh2"; $c = "bluh3";
print("Vars b4: $a, $b, $c. ");
foreach ( $thing as $thingy ) {
print("$thingy, ");
eval("\$$thingy = \"$thingy\";");
};
print("vars aft: $a, $b, $c.");
?>
</p></body></html>
Dynamically loading php pages!
In michael example ( 02-Sep-2004 05:16) is one big problem. Try to load php page with this content :
-----------------------
<?php
$a = 1;
if($a == 1){
?>
<br />ir?<br />
<?php
}
?>
------------------------
Ups? :) maybe easier way is to do something like that ? please comments :
<?php
function eval_html($string) {
$string = preg_replace("/\?>(.*?)(<\?php|<\?)/si", "echo \"\\1\";",$string);
$string = str_replace("<?php", "", $string);
$string = str_replace("?>", "", $string);
return eval($string);
}
$filename = "page.php";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo eval_html($contents);
?>
The html source will be replaced with echo. and problem is gone :) or there are other problems ? please comments.
P.S. sorry about my bad English
When using Dynamic Proxy design pattern we must create a class automaticly. Here is a sample code.
<?php
$clazz = "class SomeClass { var \$value = 'somevalue'; function show() { echo get_class(\$this);}}";
eval($clazz);
$instance = new SomeClass;
// Here output 'somevalue';
echo $instance->value;
echo "<br>";
//Here output 'someclass'
$instance->show();
?>
Be careful when using eval() on heavy usage sites in PHP 4.0+ as it takes vastly longer to activate due to the limitations of the Zend engine.
The Zend engine changes the PHP to a binary structure at the START of the file, and then parses it. Every time an eval is called, however, it has to reactivate the parsing procedure and convert the eval()'d code into usable binary format again.
Basically, if you eval() code, it takes as long as calling a new php page with the same code inside.
Kepp the following Quote in mind:
If eval() is the answer, you're almost certainly asking the
wrong question. -- Rasmus Lerdorf, BDFL of PHP
Diese Seite bei php.net