By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
449,243 Members | 1,079 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 449,243 IT Pros & Developers. It's quick & easy.

how to run php code within string?

P: n/a
$a="my result=<?=2+2?>"
echo $a

I want to get :my result=4;

how to write this script?
any comments are welcome...
thanks.

May 12 '06 #1
Share this Question
Share on Google+
10 Replies


P: n/a
Rik
Ju Hui wrote:
$a="my result=<?=2+2?>"
echo $a

I want to get :my result=4;

how to write this script?
any comments are welcome...


eval()

But only use it if strictly necessary, consider other options first.

Grtz,
--
Rik Wasmus
May 12 '06 #2

P: n/a

$a="my result=".(2+2);
echo $a

May 12 '06 #3

P: n/a

$a="my result=".(2+2);
echo $a

May 12 '06 #4

P: n/a
it might can help u

<?php
eval("\$myresult = 2+2;");
echo $myresult;
?>

and if u're really interested in learning php, u'll like to go

http://www.php.net/manual

May 12 '06 #5

P: n/a
thanks all your reply.
But the answer isn't what I want.

I know function eval(), it will execute the string pass to the function
as php script.

but my requirement is .

$a is a string, it will retrive from db.
I want to insert some php script to the $a, like {php}{/php} in Smarty
of PHP. The code with special tag will be processed as php script.
like
Expand|Select|Wrap|Line Numbers
  1. $b=1;
  2. $a="result,<? if ($b==1) echo \"b=1\" ?>";
  3. print $a
  4.  
I want to get result,b=1.

thanks .

May 12 '06 #6

P: n/a
Ju Hui wrote:
thanks all your reply.
But the answer isn't what I want.

I know function eval(), it will execute the string pass to the function
as php script.

but my requirement is .

$a is a string, it will retrive from db.
I want to insert some php script to the $a, like {php}{/php} in Smarty
of PHP. The code with special tag will be processed as php script.
like
Expand|Select|Wrap|Line Numbers
  1.  $b=1;
  2.  $a="result,<? if ($b==1) echo \"b=1\" ?>";
  3.  print $a
  4.  
I want to get result,b=1.

thanks .


Hi,

Just make sure you make the boundaries clear of the PHP code in the string
you store in the database.
eg:
$myStr = "result,**PHP**if ($b==1) echo \"b=1\"**PHP** testing.";
Now if you retrieve that string from DB, you can get the parts you want to
execute using explode("**PHP**",$myStr) and a little coding.

Of course, be sure that the seperatorstring (**PHP** in this example) cannot
be used elsewhere, or this will fail.

I must warn you, like others did, that you should try to avoid such design.

If the content of the executable PHP-code is coming from users, don't trust
it. I can contain anything, and you do NOT want to eval that. Beware.

A sidenote:
I have been coding PHP for years nonstop, and I only needed eval once.
I got so paranoid that I needed 2 days of additional coding and testing to
be sure it was safe.
My point: You probably do not need eval().

Regards,
Erwin Moller
May 12 '06 #7

P: n/a
Erwin Moller wrote:
Ju Hui wrote:
thanks all your reply.
But the answer isn't what I want.

I know function eval(), it will execute the string pass to the function
as php script.

but my requirement is .

$a is a string, it will retrive from db.
I want to insert some php script to the $a, like {php}{/php} in Smarty
of PHP. The code with special tag will be processed as php script.
like
Expand|Select|Wrap|Line Numbers
  1.  $b=1;
  2.  $a="result,<? if ($b==1) echo \"b=1\" ?>";
  3.  print $a
  4.  
I want to get result,b=1.

thanks .


Hi,

Just make sure you make the boundaries clear of the PHP code in the string
you store in the database.
eg:
$myStr = "result,**PHP**if ($b==1) echo \"b=1\"**PHP** testing.";
Now if you retrieve that string from DB, you can get the parts you want to
execute using explode("**PHP**",$myStr) and a little coding.

Of course, be sure that the seperatorstring (**PHP** in this example) cannot
be used elsewhere, or this will fail.

I must warn you, like others did, that you should try to avoid such design.

If the content of the executable PHP-code is coming from users, don't trust
it. I can contain anything, and you do NOT want to eval that. Beware.

A sidenote:
I have been coding PHP for years nonstop, and I only needed eval once.
I got so paranoid that I needed 2 days of additional coding and testing to
be sure it was safe.
My point: You probably do not need eval().


I just used eval for the first time yesterday....

<?php
foreach($scoring as $page=>$words){
$evalstatemnet=array();
foreach($parts as $word){
$evalstatemnet[]='isset($words[\''.$word.'\'])';
}
if(!(eval(join(' && ',$evalstatemnet)))){
unset($scoring[$page]);
}
}
?>

Part of a search function where $word would only ever be [a-z0-9_] -
Even then, I wasn't sure if I really wanted to use it... A few hours
later, it was replaced by something else (different algo). ;)

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
May 12 '06 #8

P: n/a
Justin Koivisto wrote:
Erwin Moller wrote:
Ju Hui wrote:
thanks all your reply.
But the answer isn't what I want.

I know function eval(), it will execute the string pass to the function
as php script.

but my requirement is .

$a is a string, it will retrive from db.
I want to insert some php script to the $a, like {php}{/php} in Smarty
of PHP. The code with special tag will be processed as php script.
like
Expand|Select|Wrap|Line Numbers
  1.  $b=1;
  2.  $a="result,<? if ($b==1) echo \"b=1\" ?>";
  3.  print $a
  4.  
I want to get result,b=1.

thanks .


Hi,

Just make sure you make the boundaries clear of the PHP code in the
string you store in the database.
eg:
$myStr = "result,**PHP**if ($b==1) echo \"b=1\"**PHP** testing.";
Now if you retrieve that string from DB, you can get the parts you want
to execute using explode("**PHP**",$myStr) and a little coding.

Of course, be sure that the seperatorstring (**PHP** in this example)
cannot be used elsewhere, or this will fail.

I must warn you, like others did, that you should try to avoid such
design.

If the content of the executable PHP-code is coming from users, don't
trust it. I can contain anything, and you do NOT want to eval that.
Beware.

A sidenote:
I have been coding PHP for years nonstop, and I only needed eval once.
I got so paranoid that I needed 2 days of additional coding and testing
to be sure it was safe.
My point: You probably do not need eval().


I just used eval for the first time yesterday....

<?php
foreach($scoring as $page=>$words){
$evalstatemnet=array();
foreach($parts as $word){
$evalstatemnet[]='isset($words[\''.$word.'\'])';
}
if(!(eval(join(' && ',$evalstatemnet)))){
unset($scoring[$page]);
}
}
?>

Part of a search function where $word would only ever be [a-z0-9_] -
Even then, I wasn't sure if I really wanted to use it... A few hours
later, it was replaced by something else (different algo). ;)


Hi Justin,

I do not see how that piece of code makes sure that no naughty commands are
executed.
It completely depends on what $scoring contains.
If you let me deliver that $scoring-array, I think I can delete the content
of your harddrive.
But maybe I miss something completely. :-/

Regards,
Erwin

May 12 '06 #9

P: n/a
Erwin :
I am using a system which using templates design. all layout can
modify from templates, and all templates' html code was saved in mysql
db.
one templete is named headerNavigation. It will show 'Login' or
'Logout', I want to show login if the user doesn't login, and show
logout if the user logined.
I want to judge whether user logined or not by one session value. So I
want to insert php code in this template. normal user can't change my
template.
you said:
execute using explode("**PHP**",$myStr) and a little coding.
I just want to know how to execut php code in a string variable which
contain 'if' 'else' and other php scripts.

I did a test like below:

1 <?
2 $a="if (2>1) echo \"2>>>>1\";";
3 echo eval($a);
4 echo "\n";
5 ?>

the result is :2>>>>1

maybe it's what I need.

any vulnerability in it?

thanks you all.

May 12 '06 #10

P: n/a
Erwin Moller wrote:
Justin Koivisto wrote:
I just used eval for the first time yesterday....

<?php
foreach($scoring as $page=>$words){
$evalstatemnet=array();
foreach($parts as $word){
$evalstatemnet[]='isset($words[\''.$word.'\'])';
}
if(!(eval(join(' && ',$evalstatemnet)))){
unset($scoring[$page]);
}
}
?>

Part of a search function where $word would only ever be [a-z0-9_] -
Even then, I wasn't sure if I really wanted to use it... A few hours
later, it was replaced by something else (different algo). ;)


I do not see how that piece of code makes sure that no naughty commands are
executed.
It completely depends on what $scoring contains.
If you let me deliver that $scoring-array, I think I can delete the content
of your harddrive.
But maybe I miss something completely. :-/


See above.. the stuff that was used in the eval statement could only
contain letters a-z (lowercase only), digits 0-9, and the underscore.
Then they were single quoted, so the eval statement would look something
like:

isset($words['testing']) && isset($words['12_435']) &&
isset($words['id_17'])

The $scoring array been constructed in the function, and if there was
found to be any characters other than specified above, the function
would have returned FALSE long before it reached that loop.

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
May 12 '06 #11

This discussion thread is closed

Replies have been disabled for this discussion.