Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

The evil eval()

Status
Not open for further replies.
Sleidia

Sleidia

Technical User
Joined
May 4, 2001
Messages
1,284
Location
FR
Hello,

Is there any way to have a string cleaned in such a way that it would never produce any error when being eval()ed ?

I get stuff like Parse error: parse error, unexpected '&' in ... : eval()'d code on line 2

I get stuff like Parse error: parse error, unexpected ';' in ... : eval()'d code on line 2


Thanks !! ;)
 
Sort by date Sort by votes
A string evaluated by eval() is just like any PHP script. I don't know of any way to clean a PHP script so that it will never produce an error.

The best you can hope to do is perhaps use the "@" error-supression operator. That might stop PHP from displaying the errors.


Is this related to your earlier template question? If so, isn't your own code producing the strings to be evaluated?



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
As an addendum, I DO NOT recommend that anyone ever use the "@" operator in a production environment. It is in every way better to produce code that reacts gracefully to errors than to simply ignore them.





Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Yep, it's related to my previous post.

As for the code parsed by eval, it is not only code. Retrieved mysql datas are mixed with the code.

See the variable $template :

$template = "
print('<tr>
<td style=\"color: #336699;\"><b> } format_sqldate(' } news_date { ', 4) { : <span class=\"boldorange\"> } ucfirst(' } news_title { ') { </span></b><br>
} news_desc { <br>
<br>
</td>
</tr>');

news_title, news_desc and news_date are mysql fields.

Anyway, here is the fuction that uses eval :


Code: 
function hd_make_query($action_name, $table_name, $field_list, $action_end, $var_prefix, $template) {

global $db_connect; // mysql_connect() taken from outside the function
global $ext_lang; // user language taken from outside the function
global $num; // selected/affected rows
global $output; // HTML output containing data from database 

		if($action_end != NULL) $action_end = " " . $action_end; 		

$field_array = explode(" . ", $field_list);

		for($i=0; $i < sizeof($field_array); $i++ ) {
		
		global ${$var_prefix . $field_array[$i]};
		$this_value = ${$var_prefix . $field_array[$i]};
		$this_field = $field_array[$i];
				
				// query : UPDATE
				if($action_name == "update") {
				
				$query_field .= $this_field . " = \"" . $this_value . "\"";
				
						if($i < (sizeof($field_array) - 1)) {
						
						$query_field .= ", ";
						
						} else {
						
						$query_tot = strtoupper($action_name) . " " . $table_name . " SET " . $query_field . $action_end;
						
						}
				
				// query : INSERT		
				} else if($action_name == "insert") {
				
				$query_field .= $this_field;
				$query_value .= "'" . $this_value . "'";
								
						if($i < (sizeof($field_array) - 1)) {
						
						$query_field .= ", ";
						$query_value .= ", ";
						
						} else {
						
						$query_tot = strtoupper($action_name) . " INTO " . $table_name . " (" . $query_field . ") VALUES (" . $query_value . ") " . $action_end;
						
						}	
									
				// query : SELECT	
				} else if($action_name == "select") {
						
						if($field_list == NULL) $this_field = "*";
						
				$query_field .= $this_field;
				
						if($i < (sizeof($field_array) - 1)) {
						
						$query_field .= ", ";
						
						} else {
						
						$query_tot = strtoupper($action_name) . " " . $query_field . " FROM " . $table_name . $action_end;
						
						}
				
				// query : DELETE	
				} else if($action_name == "delete") {
				
				$query_tot = strtoupper($action_name) . " FROM " . $table_name . $action_end;
				
				} else {
				
				}
		
		}

$query_tot = mysql_query($query_tot, $db_connect) or die (mysql_alert(mysql_error(), $ext_lang));
$num = mysql_affected_rows();

		if($action_name == "select") {
		
		$num = mysql_num_rows($query_tot);
		$cur = 1;
		
				while ($num >= $cur) {
				
				$bloc = $template;	
				$row = mysql_fetch_array($query_tot);
				
						for($i=0; $i < mysql_num_fields($query_tot); $i++ ) {
						
						$this_field = mysql_field_name($query_tot, $i);
						$var_name = $var_prefix . $this_field;
						
						global ${$var_name};
						${$var_name} = $row[$this_field];
						
								if($template != NULL) {
								
										if($field_list == NULL) {
										
										$code_rep = " } " . $i . " { ";								
										
										} else {
										
										$code_rep = " } " . $this_field . " { ";
										
										}
									
								$bloc = str_replace($code_rep, ${$var_name}, $bloc);		
								
								} else {
								
								}
												
						}
				
				$output .= $bloc;
				$cur++;		
				
				}
		
		$output = eval(str_replace(" { ", " . '", str_replace(" } ", "' . ", $output)));
						
		} else {
		
		}

}

I use it this way :

Code: 
$template = "
print('<tr>
<td style=\"color: #336699;\"><b> } format_sqldate(' } news_date { ', 4) {  : <span class=\"boldorange\"> } ucfirst(' } news_title { ') { </span></b><br>
 } news_desc { <br>
 <br>
 </td>
</tr>');
";

hd_make_query("select", "my_table", "news_title . news_desc . news_date", "ORDER BY news_date ASC", NULL, $template);

print($output);

hd_make_query("select", "my_table", "news_title . news_desc . news_date", "WHERE news_ID = \"$id\"", NULL, NULL);

print($news_date)

hd_make_query("update", "my_table", "news_title . news_desc . news_date", "WHERE news_ID = \"$id\"", NULL, NULL);

hd_make_query("delete", "my_table", NULL, "WHERE news_ID = \"$id\"", NULL, NULL);

 
Upvote 0 Downvote
The problem is almost certainly somewhere within your use of double- and single-quotes in the evaluated string.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote

Yes I know but when I replace them with html entities, then it complains about the "&" and ";" characters as seen in

Parse error: parse error, unexpected '&' in ... : eval()'d code on line 2

How can those characters cause trouble?
 
Upvote 0 Downvote
Because they aren't characters. Their sets of characters.

On a web page, characters and their html-entity equivalents are the same. But only visually.

You can't, for example, use HTML entities to surround the values of HTML attribute values. Nor can you use them in place of punctuation marks in an PHP script.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PeDa
  • Locked
  • Question Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
993
feherke
feherke
PeDa
  • Locked
  • Question Question
unwanted spaces inserted into the middle of php-generated html email body
Replies
2
Views
522
PeDa
PeDa
virtualtom
  • Locked
  • Question Question
Can ankyone help me extract the data that passes thru this form?
Replies
1
Views
407
spamjim
spamjim
NickLeins
  • Locked
  • Question Question
I don't know how to remove the headings from my own blog
Replies
1
Views
385
spamjim
spamjim
lupidol
  • Locked
  • Question Question
PHP editing value doesn't fully shows the original value
Replies
3
Views
382
vacunita
vacunita

Part and Inventory Search

Sponsor

Back
Top