On 16.12.2024 at 21:55, Elmar Klausmeier wrote: > 1. Is there a way to call require or include with a string as input in an > extension? Golemon's book only mentions zend_eval_string(), but this is > like eval(), i.e., the string must not contain any HTML or must not contain > <?php and ?> tags. The reason for this is that allow_url_include is now > offensively marked as deprecated. I previously used > require 'data:text/plain;base64,'.base64_encode($s); > to accomplish the same. Now I think I have to write an extension to create > something like require_str() or include_str().
eval() does support regular PHP code; you only need to avoid the *outmost* opening/closing PHP "tags". See <https://3v4l.org/nCi9F>. Still, the usual caveats about eval() (and zend_eval_string()) apply: never ever call it on untrusted user input. Christoph
