0

I have a textarea where you can write PHP & HTML (or technically anything else). You can preview your Code in the browser by submitting the form and what I wanna do is eval() the code (and thereby display) it. Now eval doesn't seem to accept PHP-Tags (<?php ?>) in the given string. I've read many posts that suggest calling eval like 

eval(' ?>'.$_POST['markup']);

But that my have worked once, but it doesn't work anymore. I get a Syntax error for the lines where there's a PHP opening / closing tag.

Is there still a way to eval() strings that contain PHP opening and closing tags?

Improve this question
5
  • 7
    not an answer but this is super dangerous. Do you 100% trust your users, or indeed, your web application security? Commented Oct 24, 2011 at 8:15
  • 2
    Are you trying to give users a way to execute their own PHP against your server? That seems like a bad idea. If not, what is your goal here? Commented Oct 24, 2011 at 8:16
  • 1
    I'm hoping you are aware of the enormous security hole you are creating by doing this. While this might seem like a good idea during development, there is a big chance that it will come back and bite you real hard somewhere down the road. Commented Oct 24, 2011 at 8:16
  • 1
    Thanks for your comments. Of course I know the risk. That part of the project is intended for the developers who are allowed to do anything anyway. It is a quick way to test some code in the browser. And I know, eval is evil per se, but that we need that feature as a quick way to preview code. Commented Oct 24, 2011 at 8:21
  • 1
    Ok, it was my bad. It does work using "?>" in eval. My Problem was that I didn't use stripslashes on $_POST['markup'] so I got a syntax-error. Commented Oct 24, 2011 at 12:09

2 Answers 2

Reset to default
6

The construct

eval('?>' . $code);

should still work. Quoting the documentation:

To mix HTML output and PHP code you can use a closing PHP tag to leave PHP mode.

Please check which kind of syntax error you get, and ensure that the code you supply to eval() is correct.

Also remember that eval() is evil, since it allows users of your script to execute arbitrary code on the server, like reading private files and change/delete data. This is a serious security risk!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Works for me:

<?php

$_POST['markup'] = 'Lorem ipsum dolor sit amet' . PHP_EOL;

// First time
eval(' ?>'.$_POST['markup']);

// Second time
eval(' ?>'.$_POST['markup']);

... prints this:

Lorem ipsum dolor sit amet
Lorem ipsum dolor sit amet
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.