When (if ever) is eval NOT evil?

php eval
Kendall Hopkins picture Kendall Hopkins · Aug 17, 2010 · Viewed 7.7k times · Source

I've heard many places that PHP's eval function is often not the answer. In light of PHP 5.3's LSB and closures we're running out of reasons to depend on eval or create_function.

Are there any conceivable cases where eval is the best (only?) answer in PHP 5.3?

This question is not about whether eval is evil in general, as it obviously is not.

Summary of Answers:

  • Evaluating numerical expressions (or other "safe" subsets of PHP)
  • Unit testing
  • Interactive PHP "shell"
  • Deserialization of trusted var_export
  • Some template languages
  • Creating backdoors for administers and/or hackers
  • Compatibility with < PHP 5.3
  • Checking syntax (possibly not safe)

Answer

tylerl picture tylerl · Aug 17, 2010

If you're writing malware and you want to make life hard for the sysadmin who's trying to clean up after you. That seems to be the most common usage case in my experience.

Related questions

instantiate a class from a variable in PHP?

I know this question sounds rather vague so I will make it more clear with an example: $var = 'bar'; $bar = new {$var}Class('var for __construct()'); //$bar = new barClass('var for __construct()'); This is what I want to …

Read More
calculate math expression from a string using eval

I want to calculate math expression from a string. I have read that the solution to this is to use eval(). But when I try to run the following code: <?php $ma ="2+10"; $p = eval($ma); print $p; ?> It …

Read More
Laravel - syntax error, unexpected end of file

I have a website which works fine on host, but I'm currently trying to install it on localhost. I've downloaded everything and configured to work on localhost - Database & URL. The problem is this error: Unhandled Exception Message: syntax …

Read More