string to code

Posted on 2014-02-04
Last Modified: 2014-02-24
Is it possible to run php code from a string?

So for example:-
$tmpVar = "Bananna";
$myVariable = "echo 'hello ' . $tmpVar;";
//RunCode function does not exist!!!! Should echo out 'hello Bananna'

Open in new window

Just trying to write a project and it would be handy to be able to write the code in a mySQL database and execute from a query, if not means storing lots of files and uing include as needed, just would be tidier if everthing is in one place.

Thank you in advance
Question by:tonelm54
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39834812
There is the 'eval' function .  It is considered the most dangerous function in PHP.  This can be especially true if you are accepting external input into your database so that other people can insert code that you will run.
LVL 31

Assisted Solution

by:Marco Gasi
Marco Gasi earned 100 total points
ID: 39834816
I really don't think this is a correct design pattern for php (or any other language). Though I am not a professional, I never heard about code stored into a database.
After all, why one should do such a thing? Php is e server side language: its code is 'stored' in php files. The only one reason to store it in a database would be if you allowed to your users to write code and to run it on your server: a programmer's suicide programmatically executed!

My suggestion is to use specific files for specific tasks, organizing them in the directory tree if you need to give them a structured organization:

LVL 43

Assisted Solution

by:Chris Stanyon
Chris Stanyon earned 100 total points
ID: 39835154
I'm with Dave on this one. If you think you need to do this, then you need to re-think your design pattern - It's almost never a good idea to use eval().

Put your functions in an include file - it will all be in place :)
LVL 110

Accepted Solution

Ray Paseur earned 100 total points
ID: 39835804
If eval() is the answer, you are asking the wrong question!  Eval() is one of those "clever" things that can get you tripped up and can make your programming harder to understand.  Debugging is harder than writing the code in the first place.  So if you write the code as cleverly as possible you are, by definition, not smart enough to debug it.

Consider a slightly different variation on this design pattern: The query string.  If you write a query string like this, you're writing a computer program that will run in the data base engine, using the variable $x in the processing.


In order to run that query you will need to provide some value for variable substitution into $x.  So maybe the idea will be to use the GET method request variable from the URL like this:


The script copies the key and value from $_GET into the $x variable and runs the query.  And row #3 gets deleted.

Now let's consider a slightly different URL GET request variable:


The plus signs will be automatically decoded into blanks, and the same process will create a query that says this:


Since 1=1 will be true for every row in the data base, the DELETE query will delete every row in the data base.  This is called SQL Injection.  It's a well-known attack vector, and there is a body of knowledge about how to prevent it.

There is, however, no corresponding body of knowledge about how to prevent attacks when a script uses eval().  And that is why we recommend against it.
LVL 34

Assisted Solution

Slick812 earned 100 total points
ID: 39839889
greetings  tonelm54, , you ask - "Is it possible to run php code from a string?", the answer is Yes. But as has been said here already, several times, you should NEVER do this.
And you say - "if not means storing lots of files and using include as needed"
There may be other ways to do this! , But you do not seem to know of the Rich Options that PHP has for this very thing, -> as "get page option" data from a DB Table SELECT, and then do different page output code by using the Table SELECT information, that is different for each page, and having different Classes OR Class settings (options) to do a different page CODE (methods) and get output as needed by the DB entries.
Although it can be set up to use 50 or 60 different php, files in the include( ), this seems like an inefficient php design to me.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question