tags:

views:

59

answers:

2

I am trying to execute PHP code in XML Below is the code is there better way of executing as we are using eval and far as I know it degrade the performance 80-85% as it is supposed to be used by browser.

function processing_instruction($inParser, $inTarget, $inCode) {
if ($inTarget === 'php') {
eval($inCode);
}
}
+1  A: 

"If eval() is the answer, you're almost certainly asking the wrong question."
-Rasmus Lerdorf, BDFL of PHP


Is the code you are running so varied that it can't be decided upon as a series of files to be included on demand or a XML-RPC style function call? There is generally very little to gain by allowing arbitrary code execution, and that's before you consider the staggering amount you stand to lose.

If there is a finite, predictable number of things these files could possibly do, I would Strongly recommend taking the time to create a semi-generic XML-RPC interface (or at least a series of files that you could specify in the XML file and then include on-the-fly, perhaps after setting some environment variables, depending on your coding style) and using that.

The number of risks you take when creating a portal to eval() are nigh innumerable.

I had considered providing some examples here, but XML-RPC ought to be a well enough known concept that my doing so is altogether unnecessary.

Dereleased
A: 

eval() sadly, is actually the only way to execute it.

UNLESS...

If the code in the XML gets executed more than once. for instance you have a set of 6 Xml files that contain code, kind of like a plugin system.

If that's the case, you can read the code out of the xml, write it out to a .php file, then include that. That would be slower for sure, but if you do that you only have to do it once per XML file. After that you can just run the pure php files.

And, yes like everyone else said, you can't trust untrustworthy code (duh)

Jaimz