I know eval should be avoided in JavaScript for speed and security reasons. But in the case of PHP, rarely is security ever mentioned. More often, it's your program running slower than it should because of a haphazard use of eval.
In what specific situations should you use eval because there is no other way around it?
For clarity:
We're not talking about user-supplied data. So the question is focused on pure and fully-controlled server-side valid use of eval.
i know eval should be avoided in javascript for speed and security reasons. but in the case of php, rarely is security ever mentioned. more often it's your program running slower than it should because of haphazard use of eval.
eval is evil in php too.
in what specific situations should you use eval() because there is no other way around it?
First of all, we try to avoid it as much as possible, but if you do have to use that for executing some code, then you will have to go with that but as said it is evil, you use at your own risk.
Bottom Line:
Never allow at any rate, the user input to be run with eval. (Unless You Know What You Are Doing/Risking)
The security problems of eval-uating code with eval in PHP are the same as in Javascript : if you evaluate some code, you've got to be sure where it comes from, and what it contains.
The security implications might even be greater, as PHP has access to your database (amongst other things) -- which means it can be used to steal/corrupt almost avery informations your application relies on !
In Javascript, they say that "eval is evil" ; it's probably as true in PHP that it's true in Javascript.
Now, about specific situations in which you cannot avoid using eval... Well, in something like 4 years of developping in PHP as my every-day job, I don't remember having ever used eval in my own code ^^
Still, and example of situation where you need eval would be when you are storing some code in database, for instance, and not caching it in files (which could be included) -- that happens with some CMS that allow portions of PHP code to be typed in the administration section, for instance.
i completely agree with previous answers in the point that eval is evil, and i never use it in my code.
but in one situation i haven't managed to avoid eval. i have not much experience in php, so i will be glad if someone advises me how can i rewrite the code without 'eval'. it that situation i had a class name stored in a variable, and i had to call a static method on that class, classname came from a trusted source. so i had to write something like this:
eval("\$result = $className::methodName()");
(because you cannot just write $className::methodName() );
If you want to use anonymous functions prior to PHP 5.3, you need to use create_function, which wraps an eval() call.
Eval and create_function may allow arbitary code injection. There are a lot of things in PHP that can be used to compromise the security of your application.
We tell kids not to play with knives and matches - but these are useful (if not essential) tools when used correctly. So it is with a lot of PHP's functionality. There's nothing intrinsically wrong with using the functionality as long as you understand exactly what you are doing.
But a discussion of programming languages at such an abstract level is not what StackOverflow is about.
C.