PHP Manual
Homepage
ZAČÁTKY
NÁVODY
OOP
DOKUMENTACE
Homepage
ZAČÁTKY
NÁVODY
OOP
DOKUMENTACE
Tutorials
/
Security

The eval() function in PHP

16. 02. 2020
Jan Barášek

Obsah článku

  1. PHP language design and practical features
  2. Use at your own risk!
  3. A real-world example
  4. Use to render templates

The `eval` function is used to execute the passed string as PHP code.

PHP language design and practical features

PHP is an interpreted language, which means in particular that its code is evaluated by an interpreter, a special type of program that reads the code you write and evaluates it directly from the string in real time. Other languages (such as C) must be compiled into machine code before they can be run.

Because PHP is interpreted, there is a way to change exactly what will be evaluated at runtime and even compile the code dynamically, which is exactly what eval() is good for.

Use at your own risk!

Only use the eval function when you know exactly what you are doing! This means, in particular, that you have checked all user input and no security breaches can occur. This is because if a user manages to sneak his string into the eval function, it will be evaluated as real code and can, for example, delete the entire site, steal the database or gain control of the entire server.

A real-world example

There are not many good examples where eval can be used, because practically there is always a better way to solve the problem.

For example, it can be used when evaluating expressions:

// User query
$query = '5 + 3 * 2';


// Process the expression as regular PHP code
eval('$result = @(' . $query . ');');


// Extract a variable with the solution to the expression
echo $result; // prints 11

For details, see Calculator in PHP: Processing a mathematical expression as a string.

Use to render templates

Sometimes eval is used to evaluate generated code, typically compiled templates.

However, as mentioned, each case can be handled differently and better, and in this case it makes more sense to save the serialized template in a separate PHP file and load it via require or include. In addition to having full control over the content of the template, it will also remain physically on disk, which supports improved application performance due to the caching capability.

Jan Barášek

Jan Barášek   Více o autorovi

Autor článku pracuje jako seniorní vývojář a software architekt v Praze. Navrhuje a spravuje velké webové aplikace, které znáte a používáte. Od roku 2009 nabral bohaté zkušenosti, které tímto webem předává dál.

Rád vám pomůžu:

Související články

1.
Include security in PHP and file attachment
2.
Addcslashes
3.
How to break the md5 function
4.
Caesar's cipher - how it works
5.
Hashing strings and passwords
6.
Safe application
7.
The eval() function in PHP
8.
Getting the user's IP address in PHP
9.
GitHub Actions - the best CI for 2021
10.
Refactoring a legacy PHP project - how to catch up on technology debt
11.
Code obsolescence - how to maintain compatibility
12.
CORS HTTP hlavičky

V jiných jazycích

1.
Čeština
2.
English
3.
Slovensky
BRJ system status: All systems normal.
Status:
All systems normal.
2024