I've been going through the code of a Wordpress plugin and found the following:
eval( '?>' . $foo . '<?php ' );
I'm curious if there is some specific situation I'm unaware of that this would be the right way to output the
$foo variable. Is this just a case of the plugin author being wacky or is there something I should know? I would have just used
Thanks for all the great feedback. I'm face palming now that I didn't think of the template scenario. Specifically, this happens in the WP Super Cache plugin. I guess I'll have to have a closer look to see if it's necessary. I thought Super Cache cached the html output by Wordpress after all the PHP had already been processed...
In this instance,
$foo is a string that (presumably) can contain in-lined PHP code. As such, to execute this PHP code, the string needs to be
That said, the use of eval is generally frowned upon, apart from in a very narrow set of circumstances, as it can lead to the execution of malicious code. (i.e.: If there's any possibility that
$foo is a user-provided string, then use of
eval could lead to disastrous consequences.)
See the existing when is eval evil in php? question/answers for more information.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki