0

I'm using Yii framework. I want to make a php string into php action.

$var = 'echo "hello";';
//Something to do to run $var

I want to print $var how can I do that? There is a simple parse php from string option on Yii framework?

Improve this question
4
  • Do you really want to print $var or to echo 'hello'? The most dangerous function in PHP will do this, but it's the one that will allow abuse if you use it with user-generated strings Commented Aug 20, 2013 at 7:24
  • I want to make $var action so its should display hello. Commented Aug 20, 2013 at 7:25
  • 1
    Take heed of any warnings when using eval(), you're almost certainly leaving your site open wide open to intentional or even accidental abuse. This is a back door for anyone to run malicious code, or to crash your server; and is rightly disabled by many ISPs Commented Aug 20, 2013 at 7:26
  • I'm trying to pass an function something like $expression[0] = 'Yii::app()->user->isAdmin()', eval return me only false and null without any thing related to the function. Commented Aug 20, 2013 at 7:34

3 Answers 3

Reset to default
2

You may use eval() function. But, eval is evil in many cases and generally such way of coding makes code harder to follow and debug. Beware for potential unsafe input from user, because, if, for instance, you do

eval('echo "$var"')

and $var was set directly from $_POST, one may set $var='lol"; mail("[email protected]", "Some passwords", "/bin/cat /etc/passwd");' (provided, that webserver is under user that may have access to such functions and directories; even is not, it gives a plenty of opportunities to exploit such vulnerability). So, generally eval is bad idea, but sometimes it is the only solution. Anyway, be very careful.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

eval — Evaluate a string as PHP code

Evaluates the given code as PHP.

Caution The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

http://php.net/manual/en/function.eval.php

Improve this answer

Comments

0 
$this->evaluateExpression($var);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.