Comments on: Using Eval in PHP

By: Ali

Ali — Wed, 26 May 2010 04:35:07 +0000

I think this this benchmark is not real results.
when you call a page in browser, you will connect to a webserver.
web server opens php (as cgi, fast-cgi, etc…) and then, PHP first open the script, compile it and then parse it.

with timing method that you used, you not calculated these levels but parsing.
when you use eval(), PHP will compile PHP code.

unfortunately, PHP is an slow scripting language and because of this, there are dozen’s of compiler extensions for PHP like APC, ionCube, eAccelerator, Zend, …

because of this problem, I have writen my own database, webserver and my blog and forums systems with C running on CentOS.
It’s about 25x faster (in average) in my tests. (in some cases, more than 70x)

By: Joshua Eichorn

Joshua Eichorn — Fri, 08 May 2009 22:57:37 +0000

15, i doubt you can make it faster, debug_backtrace is slow

By: PHP security « The Struggle

PHP security « The Struggle — Sun, 03 May 2009 11:55:12 +0000

[...] If you have to then make sure you check the content of the string before you use it. Try this for more [...]

By: Erwin Haantjes

Erwin Haantjes — Sun, 12 Apr 2009 01:20:27 +0000

Hello, i have made a class function that makes it easier to deal with constructors and parent functions, it is also using eval to call the parent function. It is called inherited(), see example code below. But the question is, is it real slower? Does have anybody an idea (when speed is an issue) to get better perfomance?

Here it is:
Hi, i wanted to get rid off the parent::methodName(myVar1, myVar2, myVar3 etc…..) construction so i wrote a shortcut to this notation. The only thing you have to do is calling $this->inherited() (or parent::inherited()) to call the same function with the same parameters in the parent class. It is also possible to specify other parameters if you like (also by reference). You can also use this inside constructors/destructors. It is also possible (without rewriting an existing php4 ‘base’ class and it’s constructors/destructors) to use a php4 class as base class in php5, anyway look at the source code below.

IMPORTANT TO KNOW:
- $this->raise() is a custom error function, it displays trace info when called
- There are some defines used to display, these are not included in this demo (but doesn’t care)
- TObject is an custom base object that have the inherited() function as described below.

The function (used in base class of all objects):
public function inherited()
{
// Use DEBUG backtrace to trace caller function
$bt = debug_backtrace($this);
$bt = $bt[ 1 ]; // List is in reversed order, 0 reffers to this function so get previous one

if( !@count( $bt ))
{ $this->raise( ERR_DEBUGTRACE_INFO_INVALID ); }

$sFuncName = $bt["function"];
$sClassName = $bt["class"];
$sParentClassName = get_parent_class( $sClassName );

// check absurt situations to be sure
if( empty( $sClassName ) or empty( $sParentClassName ) or $sParentClassName == $sClassName )
{ $this->raise( str_replace( array( “%s1″, “%s2″ ), array( $sFuncName, $sClassName ), ERR_CANNOT_CALL_INHERITED )); }

// constructor or destructor called (or calls and old fashion way php 4 constructor or destructor)?
$bIsConstruct = false;
if( ( $bIsConstructor = ( $sFuncName == “__construct” ))
or ( $bIsDestructor = ( $sFuncName == “__destruct” ))
or ( $bIsConstruct = ( $sFuncName == $sClassName )) or ( $sFuncName == “_”.$sClassName ) )
{
// get parent constructor/destructor
$sFuncName = (( !$bIsConstructor and !$bIsConstruct ) ? “_” : “” ).$sParentClassName;

$bFunctionExist = method_exists( $sParentClassName, $sFuncName );
$bConstructorExist = ( $bIsConstructor or $bIsConstruct ) ? method_exists( $sParentClassName, “__construct” ) : false;
$bDestructorExist = ( !$bIsConstructor or !$bIsConstruct ) ? method_exists( $sParentClassName, “__destruct” ) : false;

if( $bConstructorExist or $bDestructorExist )
{
$sFuncName = ( $bConstructorExist ) ? “__construct” : “__destruct”; // preffer to call this
$bIsConstruct = !$bDestructorExist;
$bIsConstructor = false;
$bFunctionExist = true;
}
elseif( $bFunctionExist and !$bIsConstructor and !$bIsDestructor )
{ $bFunctionExist = ( $sFuncName != (( !$bIsConstruct ) ? “_” : “” ).$sClassName ); }

if( !$bFunctionExist )
{ $this->raise( str_replace( array( “%s1″, “%s2″ ), array( $sFuncName, $sParentClassName ), ( $bIsConstruct ) ? ERR_CANNOT_CALL_INHERITED_CONSTRUCTOR : ERR_CANNOT_CALL_INHERITED_DESTRUCTOR )); }
}
else { $bFunctionExist = method_exists( $sParentClassName, $sFuncName ); }

if( $bFunctionExist )
{
// If there are parameters specified, use these
$args = func_get_args();
if( ( $iCount = @count( $args )) 0 )
{
for( $i = 0; $i < $iCount; $i++ )
{ $sArgs.=”&$”.”args[$i]“.( $i raise( str_replace( array( “%s1″, “%s2″ ), array( $sFuncName, $sParentClassName ), ERR_CANNOT_CALL_INHERITED )); }
}

example (DEMO):
class TTest extends TObject
{
public function __construct()
{
$this->inherited();
}

public function __destruct()
{
print( “destructror called TTest\n” );
$this->inherited();
}

public function test(&$param1)
{
$param1 = $param1.” world”;
return $param1.” “.$this->className;
}
}

class TTest2 extends TTest
{
public function __construct()
{
$this->inherited();
}

public function __destruct()
{
print( “destructror called TTest2\n” );
$this->inherited();
}

public function test(&$param1)
{
return $this->inherited();
}
}

class TTest3 extends TTest2
{
public function __construct()
{
$this->inherited();
}

public function test(&$param1)
{
return $this->inherited();
}

public function __destruct()
{
print( “destructror called TTest3\n” );
$this->inherited();
}

}

$test = new TTest3();
$s = “hello”;
print( “\nOrginal reference string is : $s\n” );
print( “function result is : “.$test->test( $s ).”\n” );
print( “Modified reference string is: $s\n\n” );

So what do u think?

By: John Kleijn

John Kleijn — Sat, 06 Dec 2008 14:22:36 +0000

This benchmark is useless. You can’t compare the performance of already parsed code with unparsed code. Compare it against ‘include’ and we have something that actually says something other than, “yes, parsing code takes time”.

By: sharpskater69

sharpskater69 — Thu, 19 Jun 2008 19:24:06 +0000

good. consider using /\W/, much easier in your example. good though.

By: PHP security | TheStruggle

PHP security | TheStruggle — Fri, 22 Feb 2008 14:22:40 +0000

[...] dangerous. If you have to then make sure you check the content of the string before you use it. Try this for more [...]

By: Stefan Braunewell

Stefan Braunewell — Mon, 13 Feb 2006 15:17:29 +0000

Eval is not inherently slow, it just has a small constant run-time every time it’s called. To assess the speed of eval() php parsing itself, you can put the for-loop inside the eval function. Results:

Eval: 1000000 times took 8.4494090080261
Same code not eval: 1000000 times took 0.83726000785828
Loop in eval took 1.0076489448547

You can see: executing code in eval is not the problem – envoking it so many times is.

By: Joshua Eichorn

Joshua Eichorn — Mon, 21 Nov 2005 15:16:48 +0000

Jorge:
In a situation like that is no great way to garentee security. What you’ll want to do is remove the runtime eval by just writing the new code to files (helps performance too) and then focus on making sure that only the admin can write new code.

By: Jorge

Jorge — Mon, 21 Nov 2005 09:43:56 +0000

Hello, its a very interesting article. I am building a cms and considered eval to allow the cms admin to write modules on the fly using php and eval. I know that eval is quite dangerous and that’s why I’m lookig for information about coding it safely. What do you think about it? Should I try something different? Do you think it is possible to make it safely anyway?

Jorge