How to execute PHP code in a string variable

Question

What I want to do is pull html and PHP code out from a database and then execute it. So for example I may have:

<?php 
  $test = <<<END
    <p> <?php 
    echo time(); 
    ?> </p>
    END;
  echo $test;
?>

What I want is to get $test to print

<p> 12:00PM </p>                  //right

instead of printing:

<p> <?php echo time(); ?> </p>    //wrong

as occurs when I use the echo function.

Please do not tell me how to do the same thing with JavaScript or other work around. Instead stick to the question and remember the example is just an example to demonstrate my problem. The actual code is much more complicated.

I have looked at Javascript string variable that contains PHP code but none of the answers work.

Answer 1

I would strongly recommend against doing what you're asking to do. There are a number of very good reasons for this.

The answer to the question, as others have said, is to use eval(). However, eval() has several major issues with it.

Firstly, to follow-up from the comments on the question, code run through it is executed significantly slower than regular PHP code. Although PHP is a scripted language, it does have optimisations to make run faster. None of these optimisations work for an eval block, because the scripting engine can't know what the code will look like until it actually runs it.

Not only that, but loading the code from the database will also be slower than loading it from a file using a regular include() statement.

Secondly, eval() is one of the biggest security headaches you can have. An eval() statement will run any PHP code it is given, which means that an attacker can manipulate the code will be able to do anything on your server. In short, a single eval() statement in your code can turn a minor hack into a catastrophic one.

One alternative solution that doesn't involve changing your concept too much would be to save the PHP code to a file rather than the DB. This would allow you to simple include() it at the appropriate time, and would eliminate the speed issues discussed above. You could still use the DB to store it if you wished, and have it export to a cache file using a cron job or similar, or you could just save it directly to the file.

However, this solution wouldn't necessarily eliminate the security risks. You would still be running effectively arbitrary code, which would still mean that a hacker could do a lot of damage with a relatively simple hack.

I would therefore recommend re-thinking why you need to allow user-input PHP code to be entered into your software.

Answer 2

Something like this might be useful...

<?php echo writedata($code_to_parse); ?>

<?php
function writedata($data){
    if(substr($data,0,2)=="?>"){
        eval($data);
    // eval will run & echo the code immediately, so return an empty $code
    $code="";
}else{
    $code="$data";
}
return $code;
}
?>

Now you can handle either plain html & mixed php/html with one function call.

Sample data:

?>Bonjour. The time now is <?php echo $timenow; ?> in Paris.

<div class="bluebox">Perfect day for swimming</div>

There are some side effects using eval(), remember it will execute as soon as to call it, so can sometimes have unexpected results.

Answer 3

You can use eval() for this

$test = <<<END
<p> <?php 
echo time(); 
?> </p>
END;


ob_start();
eval("?>$test");
$result = ob_get_clean();