From 0d66a6cf2c0cad946dd8b766ac6ea09b96989114 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Sat, 24 Dec 2011 23:05:58 +0000 Subject: [PATCH] Slightly cleanup eval() docs and add a Caution at the top encouraging to avoid eval(). git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@321375 c90b9560-bf6c-de11-be94-00142212c4b1 --- reference/misc/functions/eval.xml | 52 ++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/reference/misc/functions/eval.xml b/reference/misc/functions/eval.xml index 6194230f4a..b66c60478e 100644 --- a/reference/misc/functions/eval.xml +++ b/reference/misc/functions/eval.xml @@ -10,23 +10,20 @@ &reftitle.description; mixedeval - stringcode_str + stringcode - Evaluates the string given in code_str as PHP code. - - - There are some factors to keep in mind when using - eval. Remember that the string passed must be valid - PHP code, including things like terminating statements with a semicolon so - the parser doesn't die on the line after the eval, - and properly escaping things in code_str. To mix - HTML output and PHP code you can use a closing PHP tag to leave PHP mode. - - - Also remember that variables given values under eval - will retain these values in the main script afterwards. + Evaluates the given code as PHP. + + + The eval language construct is very dangerous + because it allows execution of arbitrary PHP code. Its use thus is + discouraged. If you have carefully verified that there is no other option + than to use this construct, pay special attention not to pass any user + provided data into it without properly validating it beforehand. + + @@ -34,16 +31,33 @@ - code_str + code - The code string to be evaluated. - code_str does not have to contain PHP Opening tags. + Valid PHP code to be evaluated. + + + The code mustn't be wrapped in opening and closing + PHP tags, i.e. + 'echo "Hi!";' must be passed instead of + '<? echo "Hi!"; >'. It is still possible to leave and + reenter PHP mode though using the appropriate PHP tags, e.g. + 'echo "In PHP mode!"; ?>In HTML mode!<? echo "Back in PHP mode!";'. + + + Apart from that the passed code must be valid PHP. This includes that all statements + must be properly terminated using a semicolon. + 'echo "Hi!"' for example will cause a parse error, whereas + 'echo "Hi!";' will work. A return statement will immediately terminate the - evaluation of the string . + evaluation of the code. + + + The code will be executed in the scope of the code calling eval. Thus any + variables defined or changed in the eval call will remain visible after + it terminates.