[e_i_pi]

I've reached an interesting point in some of my code where the use of eval() is necessitated. Out of interest, I'm wondering what other situations developers have found the need to use eval(). I'll explain my situation first, to kick things off...

I'm developing an online board game creator, where users can define their own board games from top to bottom, and amongst this is the ability to define your own "Win Conditions" from pre-defined components called "Win Condition Rules". As a for instance, someone may create a Win Condition that is defined as such:

Rule1
OR (
  Rule2
  AND Rule3
) OR Rule4

Due to the fact that these rules are stored in a database, the Rules need to be stored as IDs, along with the boolean operators that seperate them, and any aggregating factors (i.e. - brackets). As such, when it comes to determining if a Win Condition is met, the rules themselves need to be evaluated out into OO code that looks like this:

DefeatAllOpponents::IsMet($params)
|| (
  CaptureTerritories::IsMet($params)
  && CaptureZones::IsMet($params)
) || CaptureAndHoldKeyTerritory($params)

Obvisouly, once I have a nested array structure given in the first code block above, generating a PHP string of the second code block is reasonably trivial. After this, the code block needs to be evaluated using the eval() function. Overall I think it's a neat solution, as it retains the dynamism of users being able to create rich and complex Win Conditions, while also avoiding the problem of user entered strings that may cause a security issue on the server during evaluation.

Anyone else got stories of where they have used eval() as a necessity?

[Duckington]

I have never found it to be required in any circumstance.

[andrewsw]

I found it convenient (in Javascript) to use eval() when creating a date-formatting function, a part of which is shown here:

        DD = ( D < 10 ? "0" : "" ) + D,
        MM = ( M < 10 ? "0" : "" ) + M,
        NN = ( N < 10 ? "0" : "" ) + N, 
        SS = ( S < 10 ? "0" : "" ) + S,
        ZZZ = ( Z < 10 ? "00" : (Z < 100 ? "0" : "") ) + Z, XX;
    var AP = (sFormat && (sFormat.toUpperCase().indexOf('AP')+1)) ? 
        ((sFormat.indexOf('ap')+1) ? ap : ap.toUpperCase()) : '';
    if (twelve || AP) {
        H = (H < 12) ? (H || 12) : ((H - 12) || 12);
    }
    var HH = ( H < 10 ? "0" : "" ) + H;
    XX = (D == 1 || D == 21 || D == 31) ? "st" : 
        ((D == 2 || D == 22) ? "nd" : ((D == 3 || D == 23) ? "rd" : "th"));
    sFormat = ( sFormat ) ? sFormat.toUpperCase() : 'YYYY/MM/DD';
    var sParsed = sFormat.replace(/D{1,4}|M{1,4}|Y{2,4}|H{1,2}|N{1,2}|S{1,2}|Z{1,3}|XX|AP/g,
        function (m) {
            try {
                return eval(m);
            } catch (e) {
                return '';
            }
        });
    return sParsed;

eval() is only called on variations of D, DD, MM, etc., and completely ignored otherwise, preventing any injection.

Nevertheless, I also wrote a version that didn't use eval(). The version with eval() was slightly more convenient, but not a necessity.

This post has been edited by andrewsw: 19 March 2013 - 03:02 PM

[Shaymus]

One of my projects uses the eval() function, a templating engine that allows you to use PHP in your templates.

[Dormilich]

though that brings up (at least for me) the question, why would you want to have executable code in a template?

[chtombleson]

The use of eval in PHP is a dangerous thing esspecially if your evaluating user input, which should never be done!
They should really re-name eval to evil.

However with that said some templating engines do use eval in a safe manner. If you are going to use eval you will want to sandbox it or only allow certain functions and statements.