deadpixelstudios Posted November 29, 2012 Share Posted November 29, 2012 I have a wordpress site that uses a plugin that involves eval(). Unfortunately the hosting company for the people I'm developing the site for won't allow eval to be used due to the security risks. I was just wondering if there was anyone out there who could help me come up with an alternative. Here's the code from the plugin that I've narrowed it down to: <code> function widget( $args, $instance ) { extract($args); $title = apply_filters( 'widget_title', empty($instance['title']) ? '' : $instance['title'], $instance ); $text = apply_filters( 'widget_execphp', $instance['text'], $instance ); echo $before_widget; if ( !empty( $title ) ) { echo $before_title . $title . $after_title; } ob_start(); eval('?>'.$text); $text = ob_get_contents(); ob_end_clean(); ?> <div class="execphpwidget"><?php echo $instance['filter'] ? wpautop($text) : $text; ?></div> <?php echo $after_widget; } </code> Is there a work around that achieves the same thing without using the eval() statement. Sorry I'm just a novice php programmer so any help would be greatly appreciated. Cheers Joe Link to comment https://forums.phpfreaks.com/topic/271344-eval-alternative/ Share on other sites More sharing options...
PFMaBiSmAd Posted November 29, 2012 Share Posted November 29, 2012 It would be kind of nice if you posted an example of what the $text being put into the eval() statement is? If it doesn't contain any php code, there's no point in using eval on it. Link to comment https://forums.phpfreaks.com/topic/271344-eval-alternative/#findComment-1396168 Share on other sites More sharing options...
deadpixelstudios Posted November 29, 2012 Author Share Posted November 29, 2012 Hi Thanks for getting back to me It is php code that is in the text <?php mysql_connect("localhost", "******", "******") or die(mysql_error()); mysql_select_db("dp_sffe") or die(mysql_error()); $data = mysql_query("SELECT * FROM footerRow1"); while($info = mysql_fetch_array( $data )) { Print "<h3 class='footer_h3'>".$info['title'] ."</h3> <ul> <li><a href=".$info['link1'] .">".$info['opt1'] ."</a></li> <li><a href=".$info['link2'] .">".$info['opt2'] ."</a></li> <li><a href=".$info['link3'] .">".$info['opt3'] ."</a></li> <li><a href=".$info['link4'] .">".$info['opt4'] ."</a></li> </ul>"; } ?> Link to comment https://forums.phpfreaks.com/topic/271344-eval-alternative/#findComment-1396170 Share on other sites More sharing options...
PFMaBiSmAd Posted November 29, 2012 Share Posted November 29, 2012 You would need to make a unique temporary file (see tmpfile), write the php code to the file, include the file, and use output buffering to capture the output from the code. btw -ob_get_clean does the same thing as the two ob_ statement in the existing code. Link to comment https://forums.phpfreaks.com/topic/271344-eval-alternative/#findComment-1396192 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.