[RESOLVED]eval()

  • righteous_trespasser
  • Scuffle
  • Genius
  • User avatar
  • Posts: 6230
  • Loc: South-Africa

Post 3+ Months Ago

I have a bit of an issue with the "eval()" function ... I want to set a variable equal to a eval'd php page ... my code looks like this:

index.php
PHP Code: [ Select ]
<?php
  $replace = array("<?php","?>");
  $_GET["action"] = "create";
  $content = eval(str_replace($replace,"",file_get_contents("{$_GET["action"]}.php")));
  //some other code
  echo $content;
?>
  1. <?php
  2.   $replace = array("<?php","?>");
  3.   $_GET["action"] = "create";
  4.   $content = eval(str_replace($replace,"",file_get_contents("{$_GET["action"]}.php")));
  5.   //some other code
  6.   echo $content;
  7. ?>


create.php
PHP Code: [ Select ]
<?php
  if($_GET["action"] == "update"){
    $id = Data_Helper::get_id($_GET["url"]);
    $temp = "\$object = new " . ucfirst($_GET["table"]) . "({$id});";
    eval($temp);
  }
  $form = new Form($_GET["table"],$_GET["action"],$object);
  echo $form->form;
?>
  1. <?php
  2.   if($_GET["action"] == "update"){
  3.     $id = Data_Helper::get_id($_GET["url"]);
  4.     $temp = "\$object = new " . ucfirst($_GET["table"]) . "({$id});";
  5.     eval($temp);
  6.   }
  7.   $form = new Form($_GET["table"],$_GET["action"],$object);
  8.   echo $form->form;
  9. ?>


Now my issue is this, on the line where the eval is run $content = eval(str_replace($replace,"",file_get_contents("{$_GET["action"]}.php")));, it is also echoed/printed, but I don't want it to echo/print there, I only want to echo it later. What is wrong here?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

First, a word of caution: eval is evil, don't ever use it unless absolutely necessary. Do you have a good reason for using eval?

Now, for the answer: eval is doing what it's supposed to do. If your code contains an echo, it will be echoed. According to the PHP manual, eval will only return NULL unless there is a 'return' statement in the evaluated code. There is one way around, though, and that's output buffering. Something like this:
PHP Code: [ Select ]
ob_start();
eval(...);
$content = ob_get_contents();
ob_end_clean();
  1. ob_start();
  2. eval(...);
  3. $content = ob_get_contents();
  4. ob_end_clean();
  • righteous_trespasser
  • Scuffle
  • Genius
  • User avatar
  • Posts: 6230
  • Loc: South-Africa

Post 3+ Months Ago

Oh okay cool, that makes sense ... Why do you say eval is evil?
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

Code: [ Select ]
eval("Insert malicious code here");


Also if you replace the 'a' with an 'i' you get evil ;)
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I don't understand why you're using this instead of include or require. :scratchhead:
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

Exactly what SpooF and joebert said. eval's evilness is comparable to goto in traditional languages - it's very easy to misuse but there's almost always another way to get things done.

The only place where you must use eval is when you need to execute user input as code. In your case, since you already seem to have a PHP file with you, you could as well include it. I guess you were trying to get the output into a variable as in your first post, but since eval doesn't help you out anyway, you could just as well include() it.
  • righteous_trespasser
  • Scuffle
  • Genius
  • User avatar
  • Posts: 6230
  • Loc: South-Africa

Post 3+ Months Ago

Okay cool, thanks for all the input. Resolved.

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 123 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.