ID: 43901 Comment by: cvolny at gmail dot com Reported By: t03 at springtimesoftware dot com Status: Open Bug Type: Feature/Change Request Operating System: Irrelevant PHP Version: 5.2.5 New Comment:
I wrote two functions to display ways of accomplishing this already (although a built-in function would be nice). This function is very restrictive and requires you to pass a hash (name=>value) as $vars. I prefer and use this function to build page layout with predefined variables to be placed in a template file (I put stuff like <div id="content">$content</div> where a page's specific content should go). I consider this a safer way to string expand as you are explicitly limiting what can be expanded. Some improvements can be done to it to handle arrays, but I haven't had a need for it yet. function stringExpand($subject, array $vars) { // loop over $vars map foreach ($vars as $name => $value) { // use preg_replace to match ${`$name`} or $`$name` $subject = preg_replace(sprintf('/\$\{?%s\}?/', $name), $value, $subject); } // return variable expanded string return $subject; } This second function accomplishes the same task only using eval() and variables in the current symbol table (with the help of extract()). I opted to use heredoc with optionally a randomly generated delimiter. This allows access to all variables available to the function (static members, globals, $vars, etc) so it could potentially allow access to preferably private data. I won't even go into the security implications of using eval() to accomplish this, it's probably better to use something like the above. here it is: function stringExpandDangerous($subject, array $vars = array(), $random = true) { // extract $vars into current symbol table extract($vars); $delim; // if requested to be random (default), generate delim, otherwise use predefined (trivially faster) if ($random) $delim = '___' . chr(mt_rand(65,90)) . chr(mt_rand(65,90)) . chr(mt_rand(65,90)) . chr(mt_rand(65,90)) . chr(mt_rand(65,90)) . '___'; else $delim = '__ASDFZXCV1324ZXCV__'; // button mashing... // built the eval code $statement = "return <<<$delim\n\n" . $subject . "\n$delim;\n"; // execute statement, saving output to $result variable $result = eval($statement); // if eval() returned FALSE, throw a custom exception if ($result === false) throw new EvalException($statement); // return variable expanded string return $result; } As you can see you can easily (and dangerously) accomplish this task using eval() or you can cautiously accomplish it using a variant of regex. I would recommend limiting the access of your string expansion script as well as avoiding eval(), you can capture variable names & values easily using compact(). I wouldnt allow your script access to $GLOBALS like the above comment, you might not want that data as accessible as youre making it. Previous Comments: ------------------------------------------------------------------------ [2008-01-24 20:02:40] t03 at springtimesoftware dot com In case anyone else reads this and needs a workaround, here is function to expand any embedded variables of the form "$name" found inside a given string. Note: this uses the global scope, even if called from inside a function. // Expand global variables if found in a string // ExpandVars ver=1/24/08 function ReplaceVarCallback($M) { if (!isset($GLOBALS[$M[1]])) die("Variable "[EMAIL PROTECTED]" is undefined."); return $GLOBALS[$M[1]]; } // ReplaceVarCallback function ExpandVars($Str) { for (;;) { $Res=preg_replace_callback('#\$([A-Za-z_][A-Za-z0-9_]*)#', "ReplaceVarCallback",$Str); if ($Res==$Str) break; $Str=$Res; } return $Str; } // ExpandVars ------------------------------------------------------------------------ [2008-01-21 01:56:50] t03 at springtimesoftware dot com Description: ------------ (Note: This feature request is similar to some existing ones, but provides much clearer explanation, motivation, and details. I hope it will be considered on its own and that this proposal gets elevated to the PHP design team for serious consideration.) In PHP, string literals that are specified using quotation marks (") or HEREDOC syntax are implicitly expanded in several ways, including translation of backslash-escaped characters and substitution of the actual values of variables, as indicated by leading left brace or dollar signs. There are many common programming situations where a string contains backslash sequences or variables that need to be expanded in this way, such as when the string is read in from a text file. The most frequent solution adopted by PHP programmers is a simple use of the eval function. However, this solution represents a large security risk if the string to be expanded comes from an external and possibly malicious user, since such a string can contain arbitrary code that will be executed by the eval function. There are many safe solutions, including the use of the str_replace function in a loop to expand each possible variable. However, all these solutions involve inefficient and error-prone coding that could be avoided simply by exposing the Zend mechanism used in the implicit expansion of string literals. The mechanism is already there; it merely needs to be exposed to the programmer. Therefore, I hereby request that the PHP team consider adding a new function to PHP that would expand a given string as is done in the implicit expansion of string literals, returning the expanded string. I leave it up to the team to determine the specifics (the name of the function and possible flags to limit the expansion to certain kinds, such as backslash-escaped characters and variables). The PHP team has made many intelligent decisions throughout the history of the development of PHP, including adding new and useful functions. I hope they will consider my proposal seriously, forgiving me if I have made mistakes or overlooked something that I should have been considered. David Spector Springtime Software Reproduce code: --------------- (Note: this is not a bug report, but a new feature request.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43901&edit=1