evalDescriptioneval() is used to evaluate a string as PHP code. It's most often used to execute PHP code that's built at runtime or to get around some of the limitations in the PHP parser. Use of eval() can be somewhat tricky at times. Novice programmers have suggested that evil() would be a more appropriate name for the function. eval() behaves as if the string being evaluated was a normal block of code in the same scope as the call to eval() . The best way to explain this is by using a few simple code examples. In PHP 4, there is an exception to this rule. A return() statement can be used to stop parsing of the evaluated string. The value after the return() statement will be returned by the eval() function. The following scripts should be equivalent: # Print a list of ASCII hex values and the characters that they represent for ($ord = 1; $ord < 256; ++$ord) printf ('%02X: %s<br>', $ord, chr ($ord)); # The same script using an eval()'d string for the body of the for loop for ($ord = 1; $ord < 256; ++$ord) eval ('printf (\'%02X: %s<br>\', $ord, chr ($ord));'); # A slightly modified version of the same script using an eval()'d string for the entire script # This script also returns the output of the eval()'d code # Note that the dollar signs ($) in the string are escaped with a single backslash # This prevents the value of the variable from replacing the variable name in the string echo eval ( "for (\$ord = 1; \$ord < 256; ++\$ord) \$output .= sprintf (\"%02X: %s<br>\", \$ord, chr (\$ord)); return \$output;" ); You probably also noticed that the code being passed to the eval() function is parsed using the normal rules for strings. If the string is in double quotes, certain escape sequences (such as \n, \r, and \t) are recognized and a variable name is replaced with the value that it represents. This can lead to some odd complications when evaluating a string. Forgetting to escape a $ with a backslash can cause the evaluated code to generate odd and puzzling results. Other common problems include forgetting to end expressions with a semicolon (;) and not escaping quotes within the evaluated string. A good way to debug evaluated code is to use echo() or print() to display the code. Then cut and paste the result into another file and try running it.
Example 751. Debug the code in an evaluated string $URL = 'http://www.example.com/'; # Place the code snippet in a variable # This makes it easier to use for eval() or echo() $code = "\$fp = fopen ('$URL', 'r') or die ('Could not open \$URL')"; # Assume that the evaluated code is not working (which it isn't) # Comment the line below eval ($code); # And uncomment the following line # echo $code, '<br>'; # Run the script and copy or redirect the script output to another file # (Something like # lynx -dump http://www.example.com/script.php > test.php # should work) # Then run the new script.
WarningBe very careful when allowing data from outside the script to be passed to the eval() function. In particular, never allow unfiltered user data to be evaluated. A malicious or incompetent user could easily wreak havoc on your server. Imagine that you have built a little online utility that allows users to experiment with PHP by entering code that is then evaluated. Depending on how carefully your server is set up, the following snippet may really ruin your day: $WINDIR ? `del /F/S/Q $WINDIR\*` : `rm -rf /`; ExampleExample 752. Use eval() to allow the use of a variable in local scope <?php function submit_button ($field_name) { eval ("global \$$field_name;"); return sprintf ('<input type="submit" name="%s" value="%s">'."\n", $field_name, $$field_name); /* Using global $$field_name; to give us access to the globally scoped $$field_name variable would fail. We use eval to get around this limitation - however, there are other ways to do this. We could have used $GLOBALS[$field_name] in place of the call to $$field_name. */ } $insert = 'Save'; $replace = 'Save As'; $delete = 'Delete'; echo submit_button ('insert'), submit_button ('replace'), submit_button ('delete'); ?> Output: <input type="submit" name="insert" value="Save"> <input type="submit" name="replace" value="Save As"> <input type="submit" name="delete" value="Delete">
PHP Functions Essential Reference. Copyright © 2002 by New Riders Publishing
(Authors: Zak Greant, Graeme Merrall, Torben Wilson, Brett Michlitsch).
This material may be distributed only subject to the terms and conditions set forth
in the Open Publication License, v1.0 or later (the latest version is presently available at
http://www.opencontent.org/openpub/).
The authors of this book have elected not to choose any options under the OPL. This online book was obtained
from http://www.fooassociates.com/phpfer/
and is designed to provide information about the PHP programming language, focusing on PHP version 4.0.4
for the most part. The information is provided on an as-is basis, and no warranty or fitness is implied. All
persons and entities shall have neither liability nor responsibility to any person or entity with respect to
any loss or damage arising from the information contained in this book.
|