5

I've been going through the code of a Wordpress plugin and found the following:

eval( '?>' . $foo . '<?php ' );

I'm curious if there is some specific situation I'm unaware of that this would be the right way to output the $foo variable. Is this just a case of the plugin author being wacky or is there something I should know? I would have just used echo...

UPDATE:

Thanks for all the great feedback. I'm face palming now that I didn't think of the template scenario. Specifically, this happens in the WP Super Cache plugin. I guess I'll have to have a closer look to see if it's necessary. I thought Super Cache cached the html output by Wordpress after all the PHP had already been processed...

hakre
  • 193,403
  • 52
  • 435
  • 836
Endophage
  • 21,038
  • 13
  • 59
  • 90

3 Answers3

6

In this instance, $foo is a string that (presumably) can contain in-lined PHP code. As such, to execute this PHP code, the string needs to be eval'ed.

That said, the use of eval is generally frowned upon, apart from in a very narrow set of circumstances, as it can lead to the execution of malicious code. (i.e.: If there's any possibility that $foo is a user-provided string, then use of eval could lead to disastrous consequences.)

See the existing When is eval evil in php? question/answers for more information.

Community
  • 1
  • 1
John Parker
  • 54,048
  • 11
  • 129
  • 129
  • But it wouldn't be PHP code, would it? Because you're also `eval` ing those close and open tags. `$foo` would have to contain HTML or something, right? (But in a string, obviously.) – sdleihssirhc Mar 31 '11 at 20:57
  • @sdleihssirhc: Bingo. This is frequently used to execute template code that is either mostly PHP or is PHP that needs some variety of string-level manipulation to work. – Charles Mar 31 '11 at 21:00
  • @sdleihssirhc Adding the start and end tags is necessary unless the string is *just* PHP code, as opposed to a string that contains embedded PHP tags. – John Parker Mar 31 '11 at 21:00
  • @webarto It's rarely, if ever *good*, but sometimes a more pleasant alternative to writing your own parser. That said, it should *only* ever be used in strictly controlled circumstances. – John Parker Mar 31 '11 at 21:20
  • @middaparka, I haven't hit downvote... I use eval for parsing code from database (which I enter manually)... but using eval like the plugin author did is, I personally think, a hack... Not quite sure what he was trying to do, but I am 99% sure it could be done without eval. Cheers. – Dejan Marjanović Mar 31 '11 at 21:33
2

That's not outputting the variable. $foo most likely contains a template, with other <?=$code();?> snippets embbeded.

The closing and opening PHP marker are used in this eval to switch from inline code, back to HTML mode. This eval() more or less amounts to:

include("data:,$foo");  // treat $foo string as if it was include script
mario
  • 144,265
  • 20
  • 237
  • 291
  • It just happens that the `include` method requires `allow_url_include` be enabled, whereas the eval method does not. Depressing... – Charles Mar 31 '11 at 21:02
  • Yep. The other workaround would be to save it into a temporary file. (But I would consider *that* even worse-worse.) – mario Mar 31 '11 at 21:04
-1

Let me repeat it again: c.r.a.p

If eval() is the answer, you're almost certainly asking the wrong question.

Rasmus Lerdorf

Dejan Marjanović
  • 19,244
  • 7
  • 52
  • 66