string to code

Posted on 2014-02-04
Medium Priority
Last Modified: 2014-02-24
Is it possible to run php code from a string?

So for example:-
$tmpVar = "Bananna";
$myVariable = "echo 'hello ' . $tmpVar;";
//RunCode function does not exist!!!! Should echo out 'hello Bananna'

Open in new window

Just trying to write a project and it would be handy to be able to write the code in a mySQL database and execute from a query, if not means storing lots of files and uing include as needed, just would be tidier if everthing is in one place.

Thank you in advance
Question by:tonelm54
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 400 total points
ID: 39834812
There is the 'eval' function http://us1.php.net/manual/en/function.eval.php .  It is considered the most dangerous function in PHP.  This can be especially true if you are accepting external input into your database so that other people can insert code that you will run.
LVL 31

Assisted Solution

by:Marco Gasi
Marco Gasi earned 400 total points
ID: 39834816
I really don't think this is a correct design pattern for php (or any other language). Though I am not a professional, I never heard about code stored into a database.
After all, why one should do such a thing? Php is e server side language: its code is 'stored' in php files. The only one reason to store it in a database would be if you allowed to your users to write code and to run it on your server: a programmer's suicide programmatically executed!

My suggestion is to use specific files for specific tasks, organizing them in the directory tree if you need to give them a structured organization:

LVL 45

Assisted Solution

by:Chris Stanyon
Chris Stanyon earned 400 total points
ID: 39835154
I'm with Dave on this one. If you think you need to do this, then you need to re-think your design pattern - It's almost never a good idea to use eval().

Put your functions in an include file - it will all be in place :)
LVL 111

Accepted Solution

Ray Paseur earned 400 total points
ID: 39835804
If eval() is the answer, you are asking the wrong question!  Eval() is one of those "clever" things that can get you tripped up and can make your programming harder to understand.  Debugging is harder than writing the code in the first place.  So if you write the code as cleverly as possible you are, by definition, not smart enough to debug it.

Consider a slightly different variation on this design pattern: The query string.  If you write a query string like this, you're writing a computer program that will run in the data base engine, using the variable $x in the processing.


In order to run that query you will need to provide some value for variable substitution into $x.  So maybe the idea will be to use the GET method request variable from the URL like this:


The script copies the key and value from $_GET into the $x variable and runs the query.  And row #3 gets deleted.

Now let's consider a slightly different URL GET request variable:


The plus signs will be automatically decoded into blanks, and the same process will create a query that says this:


Since 1=1 will be true for every row in the data base, the DELETE query will delete every row in the data base.  This is called SQL Injection.  It's a well-known attack vector, and there is a body of knowledge about how to prevent it.

There is, however, no corresponding body of knowledge about how to prevent attacks when a script uses eval().  And that is why we recommend against it.
LVL 35

Assisted Solution

Slick812 earned 400 total points
ID: 39839889
greetings  tonelm54, , you ask - "Is it possible to run php code from a string?", the answer is Yes. But as has been said here already, several times, you should NEVER do this.
And you say - "if not means storing lots of files and using include as needed"
There may be other ways to do this! , But you do not seem to know of the Rich Options that PHP has for this very thing, -> as "get page option" data from a DB Table SELECT, and then do different page output code by using the Table SELECT information, that is different for each page, and having different Classes OR Class settings (options) to do a different page CODE (methods) and get output as needed by the DB entries.
Although it can be set up to use 50 or 60 different php, files in the include( ), this seems like an inefficient php design to me.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question