Question about eval in PHP 5

Question

I have been doing PHP stuff for almost one year and I have never used the function eval() though I know the usage of it. But I found many questions about it in SO.So can someone show me a simple example in which it's necessary to use eval()?And is it a good or bad practice?

Answer 1

Using eval() is a bad practice, and if it turns out to be necessary to achieve something, that is usually the sign of a underlying design error.

I can't think of any situation where it is necessary to use eval(). (i.e. something can't be achieved using other language constructs, or by fixing a broken design.) Interested to see whether any genuine cases come up here where eval actually is necessary or the alternative would be horribly complex.

The only instance of where it could be necessary is for executing code coming from an external source (e.g. database records.) But this is a design error in itself IMO.

Answer 2

eval() is necessary to implement a "compiling" template engine, like Smarty, that uses its own language and compiles it down to php on the fly. The main function of such engines is usually something like

 function render_template($path) {
    $code = file_get_contents($path);
    $php = $this->compile_to_php($code);
    eval($php);
 }

Besides that, everytime you use "include" or "require", you're actually using "eval" under the hood - so, actually, eval is one of the mostly used php constructs.

Answer 3

Bad application design is always such an example.

Answer 4

Well I have used eval once. This was for a system, where the users could enter formulas using constants fished from the underlying system.

A string like:

(N * (G - 2,7)) / E

was taken and the constants replaced with values from the system eval is then used to get a value. eval seemed like the easiest way to go. The statement was filtered to only allow operators and uppercase letters(no two next to each other) so perhaps this is not a "real" use case of eval, but it works and is pretty readable.

That said the system in questing is huge (200k+ lines) and this is the only place that eval is used.

Answer 5

A command line php shell is a great example. I guess you could fork the actual php code and write your shell extensions in C instead, but it seems much more sensible to do it in php. Since the person providing the code should already have full access to the system, there's no security issue at all. Once you get php compiled with readline, this sort of thing is actually really useful.

Drupal (optionally) uses eval to allow for ready extensibility. To accomplish this it takes user (generally administrator-only) input of code to be evaluated and stores it in the database. Drupal also has lots of people making sure that there are no security holes.

Answer 6

Using eval is quite dangerous, if see from security side. Anyway, a lot of template engines use eval, because they should parse page and get some variables or make calculations.

Answer 7

Eval useful for example in such case, as register widgets in cycle in wordpress while creating custom theme:

class PluginusNetWPTF_Widget extends PluginusNetWPTF_Core {

    public static $widgets = array(
        'PLUGINUSNET_RECENT_POSTS_WIDGET' => array(
            'description' => 'Recent posts of selected category',
            'creation' => 'PluginusNet Recent Posts',
            'fields' => array('title' => 'Recent Posts', 'category' => '', 'post_number' => 3, 'show_thumbnail' => 1, 'show_exerpt' => 0),
            'view' => 'recent_posts',
            'form' => 'recent_posts_form'
        ),
            //'PLUGINUSNET_RECENT_POSTS_WIDGET2' => array(),
    );

    public static function register_widgets() {
        foreach (self::$widgets as $widget_class_name => $widget_data) {
            $code = '

class '.$widget_class_name.' extends WP_Widget {

    //Widget Setup
    function __construct() {
        //Basic settings
        $settings = array("classname" => __CLASS__, "description" => __(PluginusNetWPTF_Widget::$widgets[__CLASS__]["description"], PLUGINUSNET_THEME_NAME));

        //Creation
        $this->WP_Widget(__CLASS__, __(PluginusNetWPTF_Widget::$widgets[__CLASS__]["creation"], PLUGINUSNET_THEME_NAME), $settings);
    }

    //Widget view
    function widget($args, $instance) {
        $args["instance"] = $instance;
        echo PluginusNetWPTF_Widget::draw_html("widget/" . PluginusNetWPTF_Widget::$widgets[__CLASS__]["view"], $args);
    }

    //Update widget
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        if (!empty(PluginusNetWPTF_Widget::$widgets[__CLASS__]["fields"])) {
            foreach (PluginusNetWPTF_Widget::$widgets[__CLASS__]["fields"] as $key => $value) {
                $instance[$key] = $new_instance[$key];
            }
        }

        return $instance;
    }

    //Widget form
    function form($instance) {
        //Defaults
        $defaults = PluginusNetWPTF_Widget::$widgets[__CLASS__]["fields"];
        $instance = wp_parse_args((array) $instance, $defaults);
        $args = array();
        $args["instance"] = $instance;
        $args["widget"] = $this;
        echo PluginusNetWPTF_Widget::draw_html("widget/" . PluginusNetWPTF_Widget::$widgets[__CLASS__]["form"], $args);
    }

}

';
            eval($code);
            register_widget($widget_class_name);
        }
    }

}