Hi all,
I have been doing PHP stuff for almost one year and I have never used the function eval() though I know the usage of it.
But I found many questions about it in SO.So can someone show me a simple example in which it's necessary to use eval()?And is it a good or bad practice?
Using eval() is a bad practice, and if it turns out to be necessary to achieve something, that is usually the sign of a underlying design error.
I can't think of any situation where it is necessary to use eval(). (i.e. something can't be achieved using other language constructs, or by fixing a broken design.) Interested to see whether any genuine cases come up here where eval actually is necessary or the alternative would be horribly complex.
The only instance of where it could be necessary is for executing code coming from an external source (e.g. database records.) But this is a design error in itself IMO.
Well I have used eval once. This was for a system, where the users could enter formulas using constants fished from the underlying system.
A string like:
(N * (G - 2,7)) / E
was taken and the constants replaced with values from the system eval is then used to get a value. eval seemed like the easiest way to go. The statement was filtered to only allow operators and uppercase letters(no two next to each other) so perhaps this is not a "real" use case of eval, but it works and is pretty readable.
That said the system in questing is huge (200k+ lines) and this is the only place that eval is used.
eval() is necessary to implement a "compiling" template engine, like Smarty, that uses its own language and compiles it down to php on the fly. The main function of such engines is usually something like
function render_template($path) {
$code = file_get_contents($path);
$php = $this->compile_to_php($code);
eval($php);
}
Besides that, everytime you use "include" or "require", you're actually using "eval" under the hood - so, actually, eval is one of the mostly used php constructs.
A command line php shell is a great example. I guess you could fork the actual php code and write your shell extensions in C instead, but it seems much more sensible to do it in php. Since the person providing the code should already have full access to the system, there's no security issue at all. Once you get php compiled with readline, this sort of thing is actually really useful.
Drupal (optionally) uses eval to allow for ready extensibility. To accomplish this it takes user (generally administrator-only) input of code to be evaluated and stores it in the database. Drupal also has lots of people making sure that there are no security holes.