> - define a string that has a function call in it (that returns a string)
> that at the time of declaration is not in scope, eg
>
> $str = "this is the name : \$node->getName()"; // $node is _not_ defined
> currently, so we can't escape out

Ya have 2 options really (from my perspective):

1. Place in "jump out's"

If you know your evaling routine is using 's then use them to break out of
the parser. Firstly - this is bad coding - as if you can break out, then
so can the rest of the data in the string. If you insist on this method,
on any external data check for the break out char and escape it -
otherwise you have a major security hole.

$str = "text here '.\$node->getName().'more text maybe";
eval("\$str = '$str';");

NOTE: there is no ' at the start or end of the string - this is important.

2. Build a string parser and use tagging... easiest done in XML imho

$str = "some text here <exec>$node->getName()</exec>";
Then go through the string before the eval executing everything between
exec tags (be security concious for heavens sake - can be dangerous if not
strictly checked) and replace the command with the response.

I can provide sample code for either options ... but would rather not mock
up a test bed if its not gonna get used ;)

PS: Im guessing your building dynamic templates ... have you had a look
into "smarty"? http://smarty.php.net/


-- 
Dan Hardiker [EMAIL PROTECTED]
ADAM Software & Systems Engineer
First Creative



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to