Best approach to fields that need to contain and run PHP code?

[Panduola]

Hi,

I am curious to hear the thoughts of the SitePoint community about the use of the eval() function in dynamic content management systems? Or are there other approaches to allow content inside of a content management system be rendered as PHP? What, in your opinion, is the most secure way to handle this?

[wheeler]

what kinds of content are you referring to?

Say for example if you had loop data, you could use bbcode or have your own simple templating like:

{show_item_table}

then do a string replace.

Using eval would be the last (if at all) option in a production environment.

[Panduola]

I am really referring to any type of dynamically generated PHP content. For example, querying the database and displaying the results via a while() or foreach() loop, if{} constructs, etc. Right now, in order to ensure that this type of code can be executed, I run the main body of each page in my content management system through the eval method. I realize that this is extremely insecure and am looking for alternatives.

[AnthonySterling]

Have you looked into how other frameworks, templating engines or CMSs do this?

[romance]

I'd just go a step further and implement an existing templating engine such as http://phptal.org into my code rather than try and re-invent the wheel.

There's nothing worse than having to learn new syntax just to achieve a simple goal of looping an object.

[PCSpectra]

Drupal and other CMS often allow execution of arbitrary PHP. The short answer is, there is no safe way to execute arbitrary PHP code except to limit the users allowed to update the said PHP code.

The long answer is, you could tokenize and parse your source code and check and trigger errors when something fishy is being done (file acceess, etc).

Cheers,
Alex