SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Zealot
    Join Date
    Feb 2004
    Location
    Boston, MA
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry The "evil eval()" -- What's the Alternative?

    I was reading a Blog entry from the PHP blog here on Sitepoint which, ironically or completely commonly, linked to yet another Blog about "sins of PHP". In this article, eval() was mentioned twice if not more. What exactly is so evil about eval()? Moreover, if there's a better alternative, I'd love to hear it!

    Lets examine an example, shall we?:

    I have a program that uses templates stored in the database (for easy user customization and because I dislike flat files). Let's pretend one of these templates says simply:
    PHP Code:
    <strong>$var</strong
    Simple stuff. Okay then, at some point in my code, after "$var" was defined as something, let's say "Welcome!", I would eval the code and echo the result. I can see everyone starting to type the "solution", so let me do it for you:
    PHP Code:
    $template mysql_ ... // Grab the template from the DB, obviously.
    $var "Welcome!"// Assign the variable.
    echo $template// Echo it, with the variable assigned, it will output properly! 
    Well yeehaw! That's all well and good, right? Okay, well how about if I'm not using procedural PHP? How about if I am using classes and those variables never see the "light of day" so to speak? Furthermore, what if I'm using a template that depends on the number of results retreived to determine how many times it's used? How about:
    PHP Code:
    <tr><td>$cell1</td><td>$cell2</td></tr
    If I'm basing that off of how many records there are in a database, a value that could very easily be more than 1,2,3,etc... then everytime I assign $cell1 and $cell2 a value, it overrides the last one! So, I would end up with a single table row with the last result's values in there. Therefor, I must iterate through each row, assign the $cell1 and $cell2 values, then evaluate the template and add it to another variable like $tablecells.

    Aside from this, what happens when you have nested templates, all with variables? I can't just echo them in any order I feel like, they need to be in a predefined order, template 1 uses variable 1, variable 1 uses template 2 and variable 2, variable 2 uses template 3...

    So, my question remains, what is the alternative to eval()? Besides, why is it so darn "evil"? Is it because somebody could evaluate malicious code? Yeah, maybe if your code is full of holes and I could happily pass along PHP code in a form and make it erase the database or something, but that's not an eval() issue, that's a script issue.

    I could probably go on, but I'm going to stop and hope this makes sense as it is.

  2. #2
    SitePoint Evangelist Daijoubu's Avatar
    Join Date
    Oct 2002
    Location
    Canada QC
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's evil because:
    #1: It's slow
    #2: It's cheating, bad pratice :P

    You could use functions to store HTML, there's overhead but it's much smaller than calling eval
    Take a look at SmartTemplate
    That's what IPB do
    Speed & scalability in mind...
    If you find my reply helpful, fell free to give me a point

  3. #3
    SitePoint Zealot
    Join Date
    Feb 2005
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    here's the error message:

    fsockopen(): php_network_getaddresses: getaddrinfo failed: No address associated with hostname in /home/classroot/utils/spider.class on line 77

    line 77 is:
    PHP Code:
                    if( !$fp = @fsockopen$host80$errno$errstr__SOCKET_TIMEOUT__ )) 

  4. #4
    SitePoint Evangelist Daijoubu's Avatar
    Join Date
    Oct 2002
    Location
    Canada QC
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wrong topic?
    Speed & scalability in mind...
    If you find my reply helpful, fell free to give me a point

  5. #5
    There is no general chat z0s0's Avatar
    Join Date
    Aug 1998
    Location
    Melbourne
    Posts
    172
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well look at it this way; do your templates need the x thousand functions available in the PHP namespace available to them? Or is all you really need some variable substitution and perhaps simple control structures?

    I presume the reason you're storing your templates in a database to begin with is that you want to grant access to a 3rd party to modify them.

    Whether eval() is "evil" depends on whether you can completely trust that 3rd party. Would you happily hand them the keys your webserver? If not, then you cannot trust them with those templates, either.

    The benefit of _not_ using eval to parse your templates is that you can restrict the operations available to template authors any way you choose. Most obviously this means granting them only string juggling abilities, and not the ability to trash your web site/server!

    As an aside, I've been building complex web applications in PHP for > 5 years now, and I have never - not even once - needed use the eval() function. I don't think it's coincedence.
    Wormly Server Performance Monitoring
    Don't wait for an SMS at 4am. Find out what's really
    going on and fix the problem. www.wormly.com/website-monitoring

  6. #6
    SitePoint Zealot
    Join Date
    Feb 2004
    Location
    Boston, MA
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by z0s0
    Well look at it this way; do your templates need the x thousand functions available in the PHP namespace available to them? Or is all you really need some variable substitution and perhaps simple control structures?
    ...
    The latter.

    Quote Originally Posted by z0s0
    ...
    Whether eval() is "evil" depends on whether you can completely trust that 3rd party. Would you happily hand them the keys your webserver? If not, then you cannot trust them with those templates, either.
    ...
    Well, in this case, it's that user's webserver who would be in danger, depending on who they decide to allow editing capabilities. Besides that, all php tags are stripped prior to evaluation, so I guess if someone had access to the database and the source code they could make that work, but if you have access to the source code what need do you have for putting malicious code in a template in the first place? Just type it in the code.

    Quote Originally Posted by z0s0
    As an aside, I've been building complex web applications in PHP for > 5 years now, and I have never - not even once - needed use the eval() function. I don't think it's coincedence.
    What would you suggest for dynamic variable replacement that is more efficient / "better" than eval? That's all I'm looking for, really. I am in no way worried about security at this time.


    Edit: With all this eval() being bad business, I can't believe the largest seller of forum software (vBulletin) still uses it for their template evaluation.
    Edit2: And I've been doing PHP development for over 3 years and I'd never used eval before this project either.

  7. #7
    SitePoint Wizard dreamscape's Avatar
    Join Date
    Aug 2005
    Posts
    1,080
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    instead of eval(), can't you write the PHP code that is to be evaled to a temporary file, and include it so that it execute natively? You can use output buffering if you need to capture its output to a variable instead of directly outputting to the browser too.

    I believe this is how *most* template engines work... they "compile" the template to a native PHP file, and then include the PHP file so it executes natively, instead of running eval().

  8. #8
    SitePoint Addict timvw's Avatar
    Join Date
    Jan 2005
    Location
    Belgium
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is no reason to say eval is evil.

    The real evil factor are the retarded users that use it for stuff that could be implemented in a more intelligent way. And even if it's the only way, there are people to fail to validate the input they use for a call to eval..


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •