There are a shed-load of ways to “
eval()” code without actually calling the
eval() function — usually done simply to avoid the use of the dreaded “evil()” function.
Here is another simple way to avoid
eval() without writing out files to the filesystem etc:
This uses the new
data: stream wrapper (see RFC2397) that was introduced with PHP 5.2.0; and while this seems like a risk, first: The “attacker” already has access to the code on your system, or you’re open to injection anyway, second: PHP 5.2 has also fixed the problem with the introduction of the “
I just thought it was a neat little streams “hack” I would share; I originally thought to do it using the var stream from PHP’s
stream_wrapper_register() documentation, but then Evert Pot posted about creating streams from strings using the data: stream, which led to this final “solution”.