• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

How to require() a variable?

Hi,

I inherited a php driven site that uses a somewhat strange approach.
There is a big database with code snippets.
The response is generated by extracting those snippets from the database and then combining them.
Some snippets contain only client-side code, these are just echo-ed.
But some snippets contain php code - pure php or mixed php + client-side code.
Now, these are handled as follows:
 1. code snippet is read from the database to a string variable
 2. the content of this variable is written to a temporary file
 3. this temporary file is require()-d, which dumps the code from the database into the current .php
 4. the temporary file is destroyed
 
 This works OK but I want to avoid the unnecessary file i/o operations if possible, so I want to skip creating, require() -ing and deleting the temporary file.
 
My question is, is it possible to require() the variable content directly, without having to save the variable content to a file first, but to achieve the same result ?

Thanks
0
hveld
Asked:
hveld
  • 4
  • 3
  • 3
  • +3
3 Solutions
 
gamebitsCommented:
USe the eval function, evaluate a string as a PHP code.

you query the db to get the code snipet you echo it as a string and using the eval function php will run the code.

more info here

http://ca.php.net/manual/en/function.eval.php

Gamebits
0
 
BogoJokerCommented:
Hi hveld,

Well.  The goal is parsing the php code.  Right now it is in a string, but you want it to actually be read by the server.
The problem is require and include functions all take files as objects.

I finally found something that will work!!! eval()
http://www.php.net/manual/en/function.eval.php

The php.net docs say:
"eval() evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution."

How perfect is that!
Joe P
0
 
BogoJokerCommented:
Whoops like like I was a little late!
All points can go to gamebits, I was 4 minutes behind him =)
Joe P
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
nicholassolutionsCommented:
That is a strange approach indeed. Be careful if any of the code you eval() is dynamic, especially if it's user input. Evaluating code when you don't know exactly what's there can be a big security problem.
0
 
TeRReFCommented:
If there is not too much code in the DB, you might want to extract it from the DB and put it in php files. It is easier to edit if you want to change it and it is safer (see nicholassolutions comment)
0
 
hveldAuthor Commented:
Thanks for the replies.

eval() does not seem to work.
If I have a simple snippet like <? echo "hello world"; ?>
, read it to a variable and then eval() the variable, it doesn't work.

On the other hand, if I have a file with a content <? echo "hello world"; ?>
and require() this file, it works OK. So with eval() I can't achieve the same functionality as with require().

Putting DB data into files is not really an option for now, requires too many changes. I may think of this later when I get to know the system better and have time.
As for the security - I understand this, but doing what I want(if possible at all) will not decrease the current security.  

0
 
BogoJokerCommented:
Does this work?
$str = 'echo "Hello world"';
eval($str);
That is without the <?php ?> marks.

If that works you could then remove all of the opening and closing php tags before sending it through eval() or modify what is in the database, remove the tags by updating the code to the new, working format.

Joe P
0
 
nicholassolutionsCommented:
>>>So with eval() I can't achieve the same functionality as with require().<<
Have a look at the manual page for how to use eval() -- you don't want the <?php ?> in there. You can either go through the DB entries and remove it, or strip it out when you get the code out each time.

>>doing what I want(if possible at all) will not decrease the current security.  <<<
Perhaps not -- it may be the system is quite insecure already ;-)
Generally speaking, using eval() is safe *if* you're either not including any user input in the evaluated string, or you are validating the input properly before evaluating it. You should also keep in mind that this approach is EXTREMELY inefficient, but I understand you just took it over and you've got a lot to take care of before recoding the whole mess ;-)
0
 
hveldAuthor Commented:
I can not just remove <? ?> because there are snippets with mixed php + client-side html - removing <? ?> from them will result in invalid code.

I know all this is very inefficient, and asked this question in an attempt to improve the efficiency a bit without massive modifications.

My idea was to somehow require() a variable as if it's some sort of a virtual file, thus keeping all the operations in the memory and avoiding file i/o. This should be better than the current approach. If I can somehow use eval() , but for all the snippets without modifying them, this should still be better than the current approach.
0
 
TeRReFCommented:
Use preg_match_all to extract the php code snippets and eval those... Something like:
        $s = '<?php PHP code1 ?>HTML text<?php PHP code2 ?>HTML text2';
        preg_match_all("|<\?php(.*)\?>|Ui", $s, $output);
        print_r($output[1]);
0
 
TeRReFCommented:
I guess my last code snippet did the trick since hveld did not reply anymore after that...
Gamebits came up with the eval() solution and nicholassolutions added some security warnings when using eval.
So I propose a points split bewteen us...
0
 
nicholassolutionsCommented:
I agree
0
 
hujiCommented:
What do you think, BogoJoker?
0
 
BogoJokerCommented:
I think we all came up with the same answers, and expanded on it.
1. eval() was correct to use
2. he needed to remove <?php ?> tags
3. ways to remove the php tags were provided

I don't mind where the points go.
Joe P
0
 
hujiCommented:
Thanks to all, for their input.
hveld and gamebits! Do you have anything to add? Please don't hesitate to express your opinion, specially if it is different from what BogoJoker, nicholassolutions and TeRReF said.
Thanks
Huji
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now