deadpixelstudios Posted November 29, 2012 Share Posted November 29, 2012 I have a wordpress site that uses a plugin that involves eval(). Unfortunately the hosting company for the people I'm developing the site for won't allow eval to be used due to the security risks. I was just wondering if there was anyone out there who could help me come up with an alternative. Here's the code from the plugin that I've narrowed it down to: <code> function widget( $args, $instance ) { extract($args); $title = apply_filters( 'widget_title', empty($instance['title']) ? '' : $instance['title'], $instance ); $text = apply_filters( 'widget_execphp', $instance['text'], $instance ); echo $before_widget; if ( !empty( $title ) ) { echo $before_title . $title . $after_title; } ob_start(); eval('?>'.$text); $text = ob_get_contents(); ob_end_clean(); ?> <div class="execphpwidget"><?php echo $instance['filter'] ? wpautop($text) : $text; ?></div> <?php echo $after_widget; } </code> Is there a work around that achieves the same thing without using the eval() statement. Sorry I'm just a novice php programmer so any help would be greatly appreciated. Cheers Joe Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 29, 2012 Share Posted November 29, 2012 It would be kind of nice if you posted an example of what the $text being put into the eval() statement is? If it doesn't contain any php code, there's no point in using eval on it. Quote Link to comment Share on other sites More sharing options...
deadpixelstudios Posted November 29, 2012 Author Share Posted November 29, 2012 Hi Thanks for getting back to me It is php code that is in the text <?php mysql_connect("localhost", "******", "******") or die(mysql_error()); mysql_select_db("dp_sffe") or die(mysql_error()); $data = mysql_query("SELECT * FROM footerRow1"); while($info = mysql_fetch_array( $data )) { Print "<h3 class='footer_h3'>".$info['title'] ."</h3> <ul> <li><a href=".$info['link1'] .">".$info['opt1'] ."</a></li> <li><a href=".$info['link2'] .">".$info['opt2'] ."</a></li> <li><a href=".$info['link3'] .">".$info['opt3'] ."</a></li> <li><a href=".$info['link4'] .">".$info['opt4'] ."</a></li> </ul>"; } ?> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 29, 2012 Share Posted November 29, 2012 You would need to make a unique temporary file (see tmpfile), write the php code to the file, include the file, and use output buffering to capture the output from the code. btw -ob_get_clean does the same thing as the two ob_ statement in the existing code. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.