Defining a bunch of functions with eval (PHP)

Defining a bunch of functions with eval (PHP) - php

Is this anywhere near something acceptable? I need a function for each HTML tag, and they need to be defined for later use in a Heredoc string. This is my code so far.
<?php
$tags = array (h1, h2, h3, b, i);
foreach ($tags as $key => $value)
{
eval ('function '.$value.' ($str) { return "<'.$value.'>$str</'.$value.'>"; }');
}
This basically takes care of the Heredoc problem concerning functions within heredoc. A quick example:
<<<example
<h1>This is ordinary HTML</h1>
{$h1('This is HTML via. PHP')}
example;
I did all the code over by heart, so please don't be suprised if they contain any errors. I haven't executed the eval-function yet, but it looks alright. Anyway, my question would be: Is this okay, or is it better to go do it the hard-way:
function h1 ($str) { return ...; }
function h2 ($str) { return ...; }
function h3 ($str) { return ...; }
function b ($str) { return ...; }
function i ($str) { return ...; }
And so on ..?

You could use the create_function provided by PHP but...Since the code is simple why not just use one function to rule them all?
function createTag($tag, $text) {
return "<{$tag}>{$text}</{$tag}>";
}
Should do what you are after.
As an after thought, you might want to check out the PHP DOM as that would probably be the route to go, but will take some time to learn and get used to using it.

If you could live with a more elaborate:
<h1>This is ordinary HTML</h1>
{$h->h1("This is HTML via PHP.")}
Then it would suffice to define a single:
class html {
function __call($name, $args) {
return "<$name>$args[0]</$name>";
}
}
$h = new html();
Would be faster than multiple eval roundtrips to define functions.

If you're going to use an ugly hack anyway, I'd much rather do:
function create_html($tag, $val) {
return "<{$tag}>{$val}</{$tag}>";
}
$html = 'create_html';
<<<example
<h1>Test</h1>
{$html('h2','Another test')}
example;

If you're on PHP 5.3, you could use closures. Far superior to create_function. Avoid eval().

Related

Pass multiple parameters to a blade directive

I'm trying to create a blade directive to highlight some words that will return from my search query.
This is my blade directive:
class AppServiceProvider extends ServiceProvider
{
public function boot()
{
Blade::directive('highlight', function($expression, $string){
$expressionValues = preg_split('/\s+/', $expression);
foreach ($expressionValues as $value) {
$string = str_replace($value, "<b>".$value."</b>", $string);
}
return "<?php echo {$string}; ?>";
});
}
public function register()
{
}
}
And I call in blade like this:
#highlight('ho', 'house')
But, this erros is following me:
Missing argument 2 for App\Providers\AppServiceProvider::App\Providers\{closure}()
How to solve it?

For associative arrays, eval() may be the easiest. But its use is adverted as dangerous, because it's like your opening a hole, a needle for code execution. In same time eval() execute at runtime, well it store the code to be executed in database (caching [well it mean it cache compiled byte code]). That's additional overhead, so performance will take a hit. Here's a nice paper on the topic [didn't read or get into the details]) https://link.springer.com/chapter/10.1007%2F978-981-10-3935-5_12.
Well here I may have got you!, there is no performance difference at server serving performance, because views are cached, and generated only when you change them. Directives are translated to php code and in another process they are cached. (you can find the generated view in storage/framework/views)
So for
Blade::directive('custom', function ($expression) {
eval("\$myarray = [$expression];");
// do something with $myarray
return "<?php echo ..";
});
It's just ok. There is nothing to talk about for eval() and performance (it's done and cached, and the generated php code is the one that will run over and over (just make sure the returned php code by the directive doesn't hold eval(), unless there is a reason). Using eval() directly (which will be used for different request over and over) will impact performance.
(I wanted to talk about eval(), I think those are useful info)
as it is we can parse array form ["sometin" => "i should be sting", "" => "", ...].
eval("\$array = $expression;");
// then we can do what we want with $array
However we can't pass variables. ex: #directive(["s" => $var])
if we use eval, $var will be undefined in the directive function scope. (don't forget that directive are just a way to generate tempalte beautifully, and turning the ugly (not really ugly) php code into such directive. In fact it's the inverse, we are turning the beautiful directive to the php code that will be executed at the end. And all you are doing here is generating, building, writing the expression that will form the final php pages or files.)
What you can do instead is to pass the variable in this way
["s" => "$var"] , so it will pass through eval. And then in your return statement, use it example:
return "<?php echo ".$array['s'].";?>";
when the template will be generated this will be <?php echo $var;?>;
Remember, if you decide to use eval, never use it within the returned string! or maybe you want to in some cases.
Another solution
(which is easy) along to the proposed parsing solutions, is to use a json format to passe data to your directive, and just use json_decode. (it just came to me)
class AppServiceProvider extends ServiceProvider
{
public function boot()
{
Blade::directive('highlight', function($json_expression){
$myArray = json_decode($json_expression)
// do something with the array
});
}
public function register()
{
}
}
Here an example where I needed to do so:
the goal is to automate this
#php
$logo = !empty($logo) ? $logo : 'logo';
$width = !empty($width) ? $width : 'logo';
//... // wait i will not always keep doing that ! h h
#endphp // imaging we do that for all different number of view components ...
and so I wrote this directive:
public function boot()
{
Blade::directive('varSet', function ($expr) {
$array = json_decode($expr, true);
$p = '<?php ';
foreach ($array as $key => $val) {
if (is_string($val)) {
$p .= "\$$key = isset(\$$key) && !empty(\$$key) ? \$$key : '$val'; ";
} else {
$p .= "\$$key = isset(\$$key) && !empty(\$$key) ? \$$key : $val; ";
}
}
$p .= '?>';
return $p;
});
}
We use it like this:
#varSet({
"logo": "logo",
"width": 78,
"height": 22
})// hi my cool directive. that's slick.
Why this form work? it get passed as a string template like this
"""
{\n
"logo": "logo",\n
"width": 78,\n
"height": 22\n
}
"""
For using in template variable pass them as string like that "$var", same as what we did with eval.
For parsing from ["" => "", ..] format may be eval() is the best choice. Remember that this is done at template generation which are cached later, and not updated, until we make change again. And remember to not use eval() within the return ; directive instruction. (only if your application need that)
for just multi arguments, and so not an array:
A function like that will do the job:
public static function parseMultipleArgs($expression)
{
return collect(explode(',', $expression))->map(function ($item) {
return trim($item);
});
}
or
public static function parseMultipleArgs($expression)
{
$ar = explode(',', $expression);
$l = len($ar);
if($l == 1) return $ar[0];
for($i = 0; $i < $l; $i++){$ar[$i] = trim($ar[$i])}
return $ar;
}
and you can tweak them as you like, using str_replace to remove things like () ...etc [in short we workout our own parsing. RegEx can be helpful. And depend on what we want to achieve.
All the above are way to parse entries and separate them into variables you use for generating the template. And so for making your return statement.
WHAT IF ALL YOU WANT IS TO HAVE YOUR DIRECTIVE TAKE AN ARRAY WITH VARIABLES FROM THE VIEW SCOPE:
like in #section('', ["var" => $varValue])
Well here particulary we use the multi arguments parsing, then we recover ["" => ..] expression separately (and here is not the point).
The point is when you want to pass an array to be used in your code (view scope). You just use it as it is. (it can be confusing).
ex:
Blade::directive("do", function ($expr) {
return "<?php someFunctionFromMyGlobalOrViewScopThatTakeArrayAsParameter($expr); ?>
});
This will evaluate to
<?php someFunctionFromMyGlobalOrViewScopThatTakeArrayAsParameter(["name" => $user->name, .......]); ?>
And so all will work all right. I took an example where we use a function, you can put all a logic. Directives are just a way to write view in a more beautiful way. Also it allow for pre-view processing and generation. Quiet nice.

Blade::directive('custom', function ($expression) {
eval("\$params = [$expression];");
list($param1, $param2, $param3) = $params;
// Great coding stuff here
});
and in blade template:
#custom('param1', 'param2', 'param3')

I was searching for this exact solution, then decided to try something different after reading everything and ended up coming up with the solution you and I were both looking for.
No need for JSON workarounds, explodes, associative arrays, etc... unless you want that functionality for something more complex later.
Because Blade is just writing out PHP code to be interpreted later, whatever you've placed into your #highlight directive is the exact PHP code in string format that will be interpreted later.
What to Do:
Make and register a helper function that you can call throughout your application. Then use the helper function in your blade directive.
Helper Definition:
if(!function_exists('highlight')){
function highlight($expression, $string){
$expressionValues = preg_split('/\s+/', $expression);
foreach ($expressionValues as $value) {
$string = str_replace($value, "<b>".$value."</b>", $string);
}
return $string;
}
}
Blade Directive:
Blade::directive('highlight', function ($passedDirectiveString){
return "<?php echo highlight($passedDirectiveString);?>";
});
Usage (Example):
<div>
#highlight('ho', 'house')
</div>
Understanding:
This is equivalent to writing out:
<div>
{! highlight('ho', 'house') !}
</div>

I think you can only pass one parameter. It's not pretty but you could pass your parameters as an array like so:
#highlight(['expression' => 'ho', 'string' => 'house'])
So your directive could be
class AppServiceProvider extends ServiceProvider
{
public function boot()
{
Blade::directive('highlight', function($array){
$expressionValues = preg_split('/\s+/', $array['expression']);
foreach ($expressionValues as $value) {
$array['string'] = str_replace($value, "<b>".$value."</b>", $array['string']);
}
return "<?php echo {$array['string']}; ?>";
});
}
public function register()
{
}
}
Found it here: https://laracasts.com/discuss/channels/laravel/how-to-do-this-blade-directive

The best way to accomplish this task is exactly as #Everrett suggested.
I checked through the blade code, and this is exactly how the laravel team has to do it as well.
If you look through vendor/laravel/framework/src/Illuminate/View/Compilers/Concerns/CompilesHelpers.php, at the compileDd function, you'll notice that they use $arguments instead of $expression like they do in all of the other compile functions found in vendor/laravel/framework/src/Illuminate/View/Compilers/Concerns/
// CompilesHelpers.php
protected function compileDd($arguments)
{
return "<?php dd{$arguments}; ?>";
}
//CompilesConditionals.php
protected function compileIf($expression)
{
return "<?php if{$expression}: ?>";
}
And if you look at vendor/symfony/var-dumper/Resources/functions/dump.php you'll see that Laravel handles variable arguments with ... splat notation in the dd function.
if (!function_exists('dd')) {
function dd(...$vars)
{
}}
So you could do a directive like: (I put my custom function in app\helpers)
If you do the same, you need to make sure to escape the backslashes.
Blade::directive('customFunc', function ($expression) {
return "<?php \\App\\Helpers\\customFunc({$arguments}); ?>";
});
and a custom function like:
/**
* Custom function to demonstrate usage
* #param mixed ...$args
* #return void
*/
function customFunc(...$args): void {
// Extract variables //
// Use pad to get expected args, and set unset to null //
list($arg1, $arg2, $arg3) = array_pad($args, 3, null);
// Echo out args //
echo "arg1: ${arg1} | arg2: ${arg2} | arg3: {$arg3}";
}
run php artisan view:clear
And then use the directive:
<div>
#customFunc('hello','wonderful', 'world')
</div>
// Returns:
arg1: hello | arg2: wonderful | arg3: world
// Using
<div>
#customFunc('hello', 'world')
</div>
// Returns:
arg1: hello | arg2: world | arg3:
The best reason to do it this way is so that if your function evolves or changes, you only need to modify the underlining function. You wont have to clear views every time you change the code.

I found an alternative approach to accessing View variables within a Blade Directive.
I wanted to check whether a given string appeared as an array key in a variable accessible in the view scope.
As the Blade Directive returns PHP which is evaluated later, it is possible to 'trick' the Directive by breaking up a variable name so that it doesn't try to parse it.
For example:
Blade::directive('getElementProps', function ($elementID) {
return "<?php
// Reference the $elementData variable
// by splitting its name so it's not parsed here
if (array_key_exists($elementID, $" . "elementData)) {
echo $" . "elementData[$elementID];
}
?>";
});
In this example we have split the $elementData variable name so the Blade Directive treats it like a string. When the concatenated string is returned to the blade it will be evaluated as the variable.

Blade::directive('highlight', function($arguments){
list($arg1, $arg2) = explode(',',str_replace(['(',')',' ', "'"], '', $arguments));
$expressionValues = preg_split('/\s+/', $arg1);
$output = "";
foreach ($expressionValues as $value) {
$output .= str_replace($value, "<b>".$value."</b>", $arg2);
}
return "<?php echo \"{$output}\"; ?>";
});

The value received on blade directive function is a sting, so, you must parse to get the values:
BLADE
#date($date, 'd-M-Y')
AppServiceProvider
Blade::directive('date', function ($str) {
// $str = "$date, 'd-M-Y'";
$data = explode(',',str_replace(' ', '', $str));
//$data = ["$date", "'d-M-Y'"]
$date = $data[0];
$format = $data[1];
return "<?= date_format(date_create($date), $format) ?>";
});

If you want to reference variables within a custom blade directive you may not need to pass them directly to the directive. I solved this problem by calling the blade directive from within a blade component. Blade components have local variable scope and so you can simply pass all the variables you need within the call to the blade component (without polluting your view scope). This is sufficient so long as you don't actually need to modify the variables or use them for control logic in your directive.
//view.blade.php
#component('my-component',['myVar1'=> $something, 'myVar2'=>$somethingElse])
#endcomponent
//my-component.blade.php
#myBladeDirective('Two variables accessible')
//Boot method of relevant service provider
Blade::directive('myBladeDirective', function ($someVar) {
return "<?php echo $someVar : {$myVar1} and {$myVar2};?>
});

How to secure a template engine in PHP from injection

I am currently trying to create a simple template engine in PHP. The main thing I care about is security, however template tutorials do not. Lets say I have a database table with a username and his description. The user can type whatever he wants there.
My guess would be to use htmlspecialchars() function, to prevent javascript and html injection. But what about 'template code injection'? If my template rule is to replace [#key] to "value", the user can update his description that interferes with my template handler. Should I treat "[", "#", "]" as special characters and replace them with their ascii code when using my set method?
template.php:
class Template {
protected $file;
protected $values = array();
public function __construct($file) {
$this->file = $file;
}
public function set($key, $value) {
$this->values[$key] = $value;
}
public function output() {
if (!file_exists($this->file)) {
return "Error loading template file ($this->file).";
}
$output = file_get_contents($this->file);
foreach ($this->values as $key => $value) {
$tagToReplace = "[#$key]";
$output = str_replace($tagToReplace, $value, $output);
}
return $output;
}
}
example.tpl:
Username: [#name]
About me: [#info]
index.php:
include 'template.php';
$page = new Template('example.tpl');
$page->set('info', '[#name][#name][#name]I just injected some code.');
$page->set('name', 'Tom');
echo $page->output();
This would display:
Username: Tom
About me: TomTomTomI just injected some code.
The code I used is based on:
http://www.broculos.net/2008/03/how-to-make-simple-html-template-engine.html

Change your function to search in the unchanged template only once for the known keys:
public function output() {
if (!file_exists($this->file)) {
return "Error loading template file ($this->file).";
}
$output = file_get_contents($this->file);
$keys = array_keys($this->values);
$pattern = '$\[#(' . implode('|', array_map('preg_quote', $keys)) . ')\]$';
$output = preg_replace_callback($pattern, function($match) {
return $this->values[$match[1]];
}, $output);
return $output;
}

I was thinking about it and I think this solution is fastest and simplest:
foreach ($this->values as $key => $value) {
$tagToReplace = "[#$key]";
if (strpos($output, "[#$value]") !== FALSE)
$value = '['.substr($value,1,-1).']';
$output = str_replace($tagToReplace, $value, $output);
}
It replaces brackets in value with html entity string if [$value] is in output.
Used this html entity list
For future adopters:
This kind of solution is OK if Template Parser is implemented by loading non-interpeted/non-evaled file (as is OP's case by loading local file using file_get_contents). However, if it's implemented by INCLUDING PHP view, beware that this check won't handle the case when you put some user-modifiable data from database into view directly (without using parser, e.g. <?=$var;?>) and then use template parser for this view. In that case, parser has no way to know if these data are part of template structure and this check won't work for them. (I don't know how should this case be handled properly.) Anyhow, I think best practice is to never pass sensitive data to template parser, even if you don't use them in your template. When attacker then tricks parser to eval his custom data, he won't get information he didn't already have. Even better, don't use template parser.

Preg_replace Template replacement which doesn't cause undefined index errors

I have a template which has certain fields which are to be replaced with a given value.
The fields each have a name which is enclosed with curly brackets. For instance: {address}
The replacement values are included in an array where the index is the name. For instance array('address'=>'101 Main Street', 'city’=>'New York')
I am using the following, and it works great (most of the time)
$template_new= preg_replace('/\{\?(\w+)\?\}/e', '$array["$1"]', $template);
Problem is if I have a {bad_name} which is not in the array, I get the following error:
Notice: Undefined index: xxx in
/var/www/classes/library.php(860) : regexp code on line
1
My desire is to leave these in place without changing them.
My first thought was to replace $array["$1"] with (isset($array["$1"])?$array["$1"]': '{'.$1.'}'), but it didn’t work.
I also tried try/catch, but it also didn’t help
Please provide any recommendations. Thank you

You'd have better luck with preg_replace_callback() and doing something like this:
<?php
class Substitute {
public function __construct($template) {
$this->template = $template;
$this->values = array();
}
public function run($values) {
$this->values = $values;
return preg_replace_callback('/\{\?(\w+)\?\}/', array($this, 'subst'), $this->template);
}
private function subst($matches) {
if (isset($this->values[$matches[1]])) {
return $this->values[$matches[1]];
}
// Don't bother doing the substitution.
return $matches[0];
}
}
Keep in mind, I typed that in off the top of my head, so there may be bugs.
Here's how you'd do much the same thing with anonymous functions, assuming you're able to use them:
function substitute($template, $values) {
return preg_replace_callback(
'/\{\?(\w+)\?\}/',
function ($matches) use ($values) {
if (isset($values[$matches[1]])) {
return $values[$matches[1]];
}
// Don't bother doing the substitution.
return $matches[0];
},
$template);
}
Much more compact!

Replace in each paragraph

In $var there is some code. I'm trying to operate a nl2br() on text inside each <p></p>.
echo preg_replace('/<p>(.*?)</p>/i', nl2br('${1}'), $var);
This code doesn't work.
How do I fix this?

You probably need to escape <\/p>

It looks like preg_replace_callback might be what you're looking for: http://us3.php.net/manual/en/function.preg-replace-callback.php
ETA: In your specific example, you could either use an anonymous function (only if you're doing this once or twice, otherwise it eats up memory) or define a helper function
function nl2br_wrapper($matches)
{
return "<p>".nl2br($matches[1])."</p>";
}
preg_replace_callback('/<p>(.*?)<\/p>/si', "nl2br_wrapper", $var);

Like kernal mentions you could use an anonymous function(PHP 5)
function replaceText($data, $html)
{
$callback = function ($matches) use ($data){
return ( isset($data[$matches[1]]) )
? nl2br($data[$matches[1]])
: $matches[0];
};
return preg_replace_callback(
'/\<p>(.*?)\</p>',
$callback,
$html);
}
echo replaceText($replace_with, $html);

PHP call_user_func vs. just calling function

I'm sure there's a very easy explanation for this. What is the difference between this:
function barber($type){
echo "You wanted a $type haircut, no problem\n";
}
call_user_func('barber', "mushroom");
call_user_func('barber', "shave");
... and this (and what are the benefits?):
function barber($type){
echo "You wanted a $type haircut, no problem\n";
}
barber('mushroom');
barber('shave');

Always use the actual function name when you know it.
call_user_func is for calling functions whose name you don't know ahead of time but it is much less efficient since the program has to lookup the function at runtime.

Although you can call variable function names this way:
function printIt($str) { print($str); }
$funcname = 'printIt';
$funcname('Hello world!');
there are cases where you don't know how many arguments you're passing. Consider the following:
function someFunc() {
$args = func_get_args();
// do something
}
call_user_func_array('someFunc',array('one','two','three'));
It's also handy for calling static and object methods, respectively:
call_user_func(array('someClass','someFunc'),$arg);
call_user_func(array($myObj,'someFunc'),$arg);

the call_user_func option is there so you can do things like:
$dynamicFunctionName = "barber";
call_user_func($dynamicFunctionName, 'mushroom');
where the dynamicFunctionName string could be more exciting and generated at run-time. You shouldn't use call_user_func unless you have to, because it is slower.

With PHP 7 you can use the nicer variable-function syntax everywhere. It works with static/instance functions, and it can take an array of parameters. More info at https://trowski.com/2015/06/20/php-callable-paradox
$ret = $callable(...$params);

I imagine it is useful for calling a function that you don't know the name of in advance...
Something like:
switch($value):
{
case 7:
$func = 'run';
break;
default:
$func = 'stop';
break;
}
call_user_func($func, 'stuff');

There are no benefits to call it like that, the word user mean it is for multiple user, it is useful to create modification without editing in core engine.
it used by wordpress to call user function in plugins
<?php
/* main.php */
require("core.php");
require("my_plugin.php");
the_content(); // "Hello I live in Tasikmalaya"
...
<?php
/* core.php */
$listFunc = array();
$content = "Hello I live in ###";
function add_filter($fName, $funct)
{
global $listFunc;
$listFunc[$fName] = $funct;
}
function apply_filter($funct, $content)
{
global $listFunc;
foreach ($listFunc as $key => $value)
{
if ($key == $funct and is_callable($listFunc[$key]))
{
$content = call_user_func($listFunc[$key], $content);
}
}
echo $content;
}
function the_content()
{
global $content;
$content = apply_filter('the_content', $content);
echo $content;
}
....
<?php
/* my_plugin.php */
function changeMyLocation($content){
return str_replace('###', 'Tasikmalaya', $content);
}
add_filter('the_content', 'changeMyLocation');

in your first example you're using function name which is a string. it might come from outside or be determined on the fly. that is, you don't know what function will need to be run at the moment of the code creation.

When using namespaces, call_user_func() is the only way to run a function you don't know the name of beforehand, for example:
$function = '\Utilities\SearchTools::getCurrency';
call_user_func($function,'USA');
If all your functions were in the same namespace, then it wouldn't be such an issue, as you could use something like this:
$function = 'getCurrency';
$function('USA');
Edit:
Following #Jannis saying that I'm wrong I did a little more testing, and wasn't having much luck:
<?php
namespace Foo {
class Bar {
public static function getBar() {
return 'Bar';
}
}
echo "<h1>Bar: ".\Foo\Bar::getBar()."</h1>";
// outputs 'Bar: Bar'
$function = '\Foo\Bar::getBar';
echo "<h1>Bar: ".$function()."</h1>";
// outputs 'Fatal error: Call to undefined function \Foo\Bar::getBar()'
$function = '\Foo\Bar\getBar';
echo "<h1>Bar: ".$function()."</h1>";
// outputs 'Fatal error: Call to undefined function \foo\Bar\getBar()'
}
You can see the output results here: https://3v4l.org/iBERh it seems the second method works for PHP 7 onwards, but not PHP 5.6.

We Keep Coding

PHP, A popular general-purpose scripting language that is especially suited to web development.

Defining a bunch of functions with eval (PHP) - php

If you're going to use an ugly hack anyway, I'd much rather do: function create_html($tag, $val) { return "<{$tag}>{$val}</{$tag}>"; } $html = 'create_html'; <<<example <h1>Test</h1> {$html('h2','Another test')} example;

If you're on PHP 5.3, you could use closures. Far superior to create_function. Avoid eval().

Related

Pass multiple parameters to a blade directive

How to secure a template engine in PHP from injection

Preg_replace Template replacement which doesn't cause undefined index errors

Replace in each paragraph

PHP call_user_func vs. just calling function

Categories

Resources