string to code

Posted on 2014-02-04
Last Modified: 2014-02-24
Is it possible to run php code from a string?

So for example:-
$tmpVar = "Bananna";
$myVariable = "echo 'hello ' . $tmpVar;";
//RunCode function does not exist!!!! Should echo out 'hello Bananna'

Open in new window

Just trying to write a project and it would be handy to be able to write the code in a mySQL database and execute from a query, if not means storing lots of files and uing include as needed, just would be tidier if everthing is in one place.

Thank you in advance
Question by:tonelm54
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39834812
There is the 'eval' function .  It is considered the most dangerous function in PHP.  This can be especially true if you are accepting external input into your database so that other people can insert code that you will run.
LVL 31

Assisted Solution

by:Marco Gasi
Marco Gasi earned 100 total points
ID: 39834816
I really don't think this is a correct design pattern for php (or any other language). Though I am not a professional, I never heard about code stored into a database.
After all, why one should do such a thing? Php is e server side language: its code is 'stored' in php files. The only one reason to store it in a database would be if you allowed to your users to write code and to run it on your server: a programmer's suicide programmatically executed!

My suggestion is to use specific files for specific tasks, organizing them in the directory tree if you need to give them a structured organization:

LVL 43

Assisted Solution

by:Chris Stanyon
Chris Stanyon earned 100 total points
ID: 39835154
I'm with Dave on this one. If you think you need to do this, then you need to re-think your design pattern - It's almost never a good idea to use eval().

Put your functions in an include file - it will all be in place :)
LVL 109

Accepted Solution

Ray Paseur earned 100 total points
ID: 39835804
If eval() is the answer, you are asking the wrong question!  Eval() is one of those "clever" things that can get you tripped up and can make your programming harder to understand.  Debugging is harder than writing the code in the first place.  So if you write the code as cleverly as possible you are, by definition, not smart enough to debug it.

Consider a slightly different variation on this design pattern: The query string.  If you write a query string like this, you're writing a computer program that will run in the data base engine, using the variable $x in the processing.


In order to run that query you will need to provide some value for variable substitution into $x.  So maybe the idea will be to use the GET method request variable from the URL like this:


The script copies the key and value from $_GET into the $x variable and runs the query.  And row #3 gets deleted.

Now let's consider a slightly different URL GET request variable:


The plus signs will be automatically decoded into blanks, and the same process will create a query that says this:


Since 1=1 will be true for every row in the data base, the DELETE query will delete every row in the data base.  This is called SQL Injection.  It's a well-known attack vector, and there is a body of knowledge about how to prevent it.

There is, however, no corresponding body of knowledge about how to prevent attacks when a script uses eval().  And that is why we recommend against it.
LVL 33

Assisted Solution

Slick812 earned 100 total points
ID: 39839889
greetings  tonelm54, , you ask - "Is it possible to run php code from a string?", the answer is Yes. But as has been said here already, several times, you should NEVER do this.
And you say - "if not means storing lots of files and using include as needed"
There may be other ways to do this! , But you do not seem to know of the Rich Options that PHP has for this very thing, -> as "get page option" data from a DB Table SELECT, and then do different page output code by using the Table SELECT information, that is different for each page, and having different Classes OR Class settings (options) to do a different page CODE (methods) and get output as needed by the DB entries.
Although it can be set up to use 50 or 60 different php, files in the include( ), this seems like an inefficient php design to me.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Part of the Global Positioning System A geocode ( is the major subset of a GPS coordinate (, the other parts being the altitude and t…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question