On 16.12.2024 at 21:55, Elmar Klausmeier wrote:

> 1. Is there a way to call require or include with a string as input in an
> extension? Golemon's book only mentions zend_eval_string(), but this is
> like eval(), i.e., the string must not contain any HTML or must not contain
> <?php and ?> tags. The reason for this is that allow_url_include is now
> offensively marked as deprecated. I previously used
>         require 'data:text/plain;base64,'.base64_encode($s);
> to accomplish the same. Now I think I have to write an extension to create
> something like require_str() or include_str().

eval() does support regular PHP code; you only need to avoid the
*outmost* opening/closing PHP "tags".  See <https://3v4l.org/nCi9F>.

Still, the usual caveats about eval() (and zend_eval_string()) apply:
never ever call it on untrusted user input.

Christoph

Reply via email to