tags:

views:

245

answers:

6

Hi all,

I have been doing PHP stuff for almost one year and I have never used the function eval() though I know the usage of it. But I found many questions about it in SO.So can someone show me a simple example in which it's necessary to use eval()?And is it a good or bad practice?

+4  A: 

Using eval() is a bad practice, and if it turns out to be necessary to achieve something, that is usually the sign of a underlying design error.

I can't think of any situation where it is necessary to use eval(). (i.e. something can't be achieved using other language constructs, or by fixing a broken design.) Interested to see whether any genuine cases come up here where eval actually is necessary or the alternative would be horribly complex.

The only instance of where it could be necessary is for executing code coming from an external source (e.g. database records.) But this is a design error in itself IMO.

Pekka
Expression parsing, for one. Although rare, I've had to do this some times. Of course, it complex and full expressions, not routine math with at most round bracket support. That said, the usual precautions on eval always apply: they're slow (fixed with caching results), possibly unnecessary (not in my case) and a security issues (the relevant code is, however, run by the sysadmins themselves, thus not an issue).
Christian Sciberras
+1  A: 

Bad application design is always such an example.

Col. Shrapnel
+2  A: 

Well I have used eval once. This was for a system, where the users could enter formulas using constants fished from the underlying system.

A string like:

(N * (G - 2,7)) / E

was taken and the constants replaced with values from the system eval is then used to get a value. eval seemed like the easiest way to go. The statement was filtered to only allow operators and uppercase letters(no two next to each other) so perhaps this is not a "real" use case of eval, but it works and is pretty readable.

That said the system in questing is huge (200k+ lines) and this is the only place that eval is used.

leChuck
+4  A: 

eval() is necessary to implement a "compiling" template engine, like Smarty, that uses its own language and compiles it down to php on the fly. The main function of such engines is usually something like

 function render_template($path) {
    $code = file_get_contents($path);
    $php = $this->compile_to_php($code);
    eval($php);
 }

Besides that, everytime you use "include" or "require", you're actually using "eval" under the hood - so, actually, eval is one of the mostly used php constructs.

stereofrog
But it seems to be bad practice if used in our own codes,is it?:)
SpawnCxy
Well, I think 99% of people talking about "bad practices" are not able to explain the reasons. They just repeat nonsense they've heard from others.
stereofrog
Still it's not "necessary", there are other ways to implement it if you want. And to turn "bad practice" into a circular argument: If 99% of the people can't explain the reasons isn't it a safe bet that almost the same amount of people can't decide when (and how) it's safe to use eval() and should stay away from it?
VolkerK
+1 for '"bad practices" are not able to explain the reasons. They just repeat nonsense they've heard from others.'.
Jacco
+1  A: 

Using eval is quite dangerous, if see from security side. Anyway, a lot of template engines use eval, because they should parse page and get some variables or make calculations.

+1  A: 

A command line php shell is a great example. I guess you could fork the actual php code and write your shell extensions in C instead, but it seems much more sensible to do it in php. Since the person providing the code should already have full access to the system, there's no security issue at all. Once you get php compiled with readline, this sort of thing is actually really useful.

Drupal (optionally) uses eval to allow for ready extensibility. To accomplish this it takes user (generally administrator-only) input of code to be evaluated and stores it in the database. Drupal also has lots of people making sure that there are no security holes.

intuited