php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52851 Bug with eval() parsing strings
Submitted: 2010-09-15 12:15 UTC Modified: 2010-09-15 12:17 UTC
From: max at dteam dot us Assigned:
Status: Not a bug Package: Strings related
PHP Version: 5.3.3 OS: Windows
Private report: No CVE-ID: None
 [2010-09-15 12:15 UTC] max at dteam dot us
Description:
------------
eval() function seems to work improperly with double [[ chars in string.

Test script:
---------------
<?php
$bogus_str = "[[hello!]] brackets";
$code = "echo $bogus_str;";

echo $bogus_str;
eval($code);
?>

Expected result:
----------------
[[hello!]] brackets[[hello!]] brackets

Actual result:
--------------
[[hello!]] brackets Parse error: syntax error, unexpected '[' in C:\xampp\htdocs\test.php(6) : eval()'d code on line 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-15 12:17 UTC] aharvey@php.net
-Status: Open +Status: Bogus
 [2010-09-15 12:17 UTC] aharvey@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.


 [2010-09-15 12:37 UTC] max at dteam dot us
Well, I suppose after a second thought this is not actially a bug. But the way than eval() treats passed code is anyway kind of funny. I faced the problem when i was writing a snippet for MODX CMS. Seems like eval doesn't really care what quotes are used in code. They should be escaped somehow because there is so much ways where it's difficult to know how exactly the eval() was executed in framework.
 [2010-09-20 23:25 UTC] anon at anon dot com
In what way is eval's behavior remotely "funny"? You are explicitly asking it to run this code:

 echo [[hello!]] brackets;

Hence the syntax error. 

>Seems like eval doesn't really care what quotes are used in code
How on Earth do you propose that it should keep track of how it's argument, $code, was generated, and how that string's embedded variable, $bogus_str, was generated, and what quotes were used for it, if indeed it came from the source code at all, and any other of a million possible modifications that might have happened to the strings along the way to affect that?

Chances are you don't need eval, because it's almost never needed, and most languages do perfectly well without it. But if you really need it, escape the string or use different quotes. You might have meant to do this:
 $code = 'echo $bogus_str;';
Or this:
 $code = "echo \$bogus_str;";
which will both work as long as $bogus_str is in scope, or this, which will work anywhere:
 $code = 'echo "' . addcslashes($bogus_str, '\"') . '";';
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 13:01:24 2019 UTC