Don't use EVAL in your prodution applications

no-use-eval-php.md

Don't use EVAL in PHP production application.

Source

Why eval() is not able to return the method results?

Simply because you don't return anything in your eval part.

Docs:

eval() returns NULL unless return is called in the evaluated code, in which case the value passed to return is returned.

---

How can I solve this issue?

You can assign variable ($merge in given example) in eval. For example:

eval('$merge =' . $error['custom'] . ';');

or return value in eval. E.g:

$merge = eval('return '.$error['custom'].';');

---

Note: Don't use eval in real-world applications.

Warning from docs:

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

---

If eval() is dangerous is there another way to read a string as code in a safe way?

Yes, there is (actually, are):

1. PHP is very dynamic language. It has ability to do following stuff with strings:

   • Define and/or get variable (supported from PHP 4.3). For example:

     $variableName = 'MyVariable';
     // Create new variable with the name defined in variable $variableName
     ${$variableName} = 'MyValue';
     //Outputs: string(7) "MyValue"
     var_dump($MyVariable);
     //Outputs: string(7) "MyValue"
     var_dump(${'MyVariable'});
     

     Demo

   • Call function (supported from PHP 4.3). For example:

     // Create function with the name defined in variable $functionName
     function MyFunction($argument) {
         return 'Argument passed is: '.$argument;
     }
     
     $functionName = 'MyFunction';
     
     // Outputs:
     // string(48) "Argument passed is: Calling MyFunction directly."
     var_dump(MyFunction('Calling MyFunction directly.'));
     // Outputs:
     // string(51) "Argument passed is: Calling MyFunction with string."
     var_dump($functionName('Calling MyFunction with string.'));
     

     Demo

   • Create instance of class (supported from PHP 5.0). For example:

     class MyClass {
         public function __construct() {
             echo 'Constructing MyClass'."\n";
         }
     }
     
     $className = 'MyClass';
     
     $objFromString = new $className();
     // Outputs: object(MyClass)#1 (0) {}
     var_dump($objFromString);
     

     Demo

   • Call static method (supported from PHP 5.0). For example:

     class MyClass {
         public static function staticMethod() {
             return 'MyClass::staticMethod called';
         }
     }
     
     $staticMethodName = 'staticMethod';
     // Outputs: string(28) "MyClass::staticMethod called"
     var_dump(MyClass::$staticMethodName());
     

     Demo

     And from PHP 5.3 class name can also be defined by string. Example:

     class MyClass {
         public static function staticMethod() {
         return 'MyClass::staticMethod called';
         }
     }
     
     $className = 'MyClass';
     $staticMethodName = 'staticMethod';
     
     var_dump($className::$staticMethodName());
     var_dump($className::staticMethod());
     

     Demo

   • Call instance method of object (supported from PHP 5.0). For example:

     class MyClass {
         public function instanceMethod() {
             return 'MyClass::instanceMethod called';
         }
     }
     
     $methodName = 'instanceMethod';
     
     $obj = new MyClass();
     // Outputs: string(30) "MyClass::instanceMethod called"
     var_dump($obj->$methodName());
     

     Demo

   • Access static and instance properties of object (supported from PHP 5.0). For example:

     class MyClass {
         public static $myStaticProperty;
         public $myInstanceProperty;
     }
     
     $staticPropertyName = 'myStaticProperty';
     $instancePropertyName = 'myInstanceProperty';
     
     MyClass::${$staticPropertyName} = 'my static value';
     $obj = new MyClass();
     $obj->{$instancePropertyName} = 'my instance value';
     
     var_dump(MyClass::${$staticPropertyName});
     var_dump($obj->{$instancePropertyName});
     

     Demo

2. PHP has two functions: call_user_func and call_user_func_array for dynamic function/method calls. Both are perfectly documented so I won't go in details here.

3. Even if everything above is not enough PHP 5 comes with great Reflection API. Unfortunately, documentation has few examples but reflection is quite large topic to cover here. Basically, It's not a big deal to use reflection after reading how it works.

Share

Share a link to this answer (Includes your user id)

Copy linkCC BY-SA 3.0

Edit

Follow

Follow this answer to receive notifications

edited Jul 17, 2013 at 11:32

answered Jul 16, 2013 at 9:02

[

](/users/1283847/leri)

LeriLeri

12.1k55 gold badges4040 silver badges5959 bronze badges

3

• If eval() is dangerous is there another way to read a string as code in a safe way? This is for a private API system so I am not worried. But in the future I may need it

  – user2426701

  Jul 16, 2013 at 9:06

• @DiegoPucci I have updated my answer with alternatives. Also it does not matter if it's private or not. According to Murphy's lay: Anything that can go wrong, will go wrong.

  – Leri

  Jul 16, 2013 at 9:14

• 1

  @DiegoPucci I've edited answer. I think you'd be interested in rereading one.

  – Leri

  Jul 17, 2013 at 10:06

Add a comment  |