PHP - Is there a way to "include" a string as a file?

Question

There is a known way to include a file and capture its contents into a string while loading.

$string = get_include_contents('somefile.php');
function get_include_contents($filename) {
if (is_file($filename)) {
        ob_start();
        include $filename;
        return ob_get_clean();
    }
    return false;
}

https://www.php.net/manual/en/function.include.php

Is there a way to "include" contents loading them from a string instead of a file?

I mean something like this:

$string = file_get_contents("file.php");
include_from_string($string);

Answer 1

This might not be what you are looking for but I got "work around" for it.

Just create temporary file with tempnam() which you will include and then unlink().

$path = "somefile.php";
$stringFile = file_get_contents($path);
$pathTmp = tempnam("tmp/", ""); // you pass directory in which you will store tmp files for me it's "tmp/"
$file = fopen($pathTmp, "w+");
fwrite($file,$widget);
fclose($file);
include $pathTmp; // include the file, and PHP will be automatically parsed
unlink($pathTmp); // delete file

THIS IS WRONG:

I'm not sure if it's good practice (but hack damn, it's simple) because no one suggested it but it's better then eval() which is basically "code hazard".

THIS IS RIGHT:

As @Chris Harrison commented this is security risk and it's equal to eval(). So you could basically do this:

eval($string);

Answer 2

This is not equivalent to using include. Here's the problem: eval() takes the provided PHP, and executes it in the current environment. Thus, any globals, functions, classes, what-not, you have defined prior to the eval() are available for the processor. This is all good, and, upon return, the only thing left of the original (evel'd) string are the results of any echo (or equivalent) statements.

This is NOT the same as an include. There the file contents are merged with your source code and that is passed to eval(). Very, very different. The easiest way to see this is to define your string as 'class fu { static function bar() { echo "wow"; } ]' Put this in a file and call fu::bar() and you'll get 'wow' displayed. At the same point in your code, if you do an eval('class fu ...') and call fu::bar() from your code you'll get "Fatal error: Call to private method fu::bar() from context ..."

But, as long as you don't need to interact with the 'include' the results will appear the same.

Answer 3

This is a simple example for you, if you pass inside the eval() this will execute the code in the string variable.

<?php 

//here your PHP Code goes
$string = get_include_contents('somefile.php');

//evaluating the string this will work
eval($string); //output

Answer 4

If you want the string to be parsed as PHP code, just like the contents of a file loaded with include(), then the function you need is eval().

Note that, unlike code loaded by include(), code executed by eval() automatically starts in PHP mode, so you don't need to (and shouldn't!) prefix it with <?php. If you want to emulate the behavior of include() exactly, you can prefix the string to be eval()ed with ?> to leave PHP mode:

$string = file_get_contents( 'somefile.php' );
eval( '?>' . $string );

Also note that eval() is a very dangerous function to play with! While in this specific case it shouldn't be any more risky than include() itself is, using eval() on any string that might even possibly contain unsanitized (or insufficiently sanitized) user input is extremely dangerous, and may be exploited by attackers to execute malicious code on your system and thereby gain control of it.

Answer 5

Just echo whatever you want instead of include inside your function!

UPDATE

Your function should look like this:

$string = "Whatever";
$str = get_var($string);
function get_var($str) {
ob_start();
echo $str;
return ob_get_clean();
}