Proper use of eval() in Yii

First impression… brilliant! :] I would never figured out myself such idea like to use eval inside eval (in short)! :)

But on the other hand, I heard that eval is one of the worst PHP solutions in naming security, time-consuming etc. Therefore using double eval could in some cases kill server and certainly will kill some best coding practice evangelists! :) Let me quote Rasmus Lerdorf, creator of PHP again - [i]If eval() is the answer, you’re almost certainly asking the wrong question.

[/i]EDIT: Just got Qiang’s comment to my bug tracker ticket: “using eval() is evil”! LOL! :]

As you already know, I tried to avoid the nested eval by using a method call. Regarding the continued discussion here, I was aware of the security and performance drawbacks. However, I don’t know i.e. by benchmarks the magnitude of performance loss.

My first thought was that the solution you suggested (conditional ‘return’ in eval’d code) might weaken security somewhere since we talk about just one use case for CComponent::evalExpression.

The suggestion to create a property when an expression isn’t appropriate and statements are required, seems to be the best solution, I think.

I once tried to use an anonymous function in CGridView column eval’d code, with no luck. Will look further into it (PHP 5.3 assumed).


The PHP 5.3+ solution would be something similar to this (no eval involved):

'value'=>function($data, $row) { someStatement; return $data->someAttribute; },


Oh, I would fear for that! :] If eval itself won’t weaken your security then adding return checking won’t do this for sure. It will only degrade performance - at least that is a conclusion I got from mentioned bug tracker discussion, where Qiang said not reliable.

I don’t know if I’m not taking you incorrectly. You tried anonymous functions with PHP less than 5.3 and then, when no luck, you are about to try it in 5.3? Wasn’t this feature introduced in 5.3, so trying anonymous functions in PHP less than that isn’t pointless and worthless by definition?

Yes, this seems to be the best solution, avoiding all the evil eval problems on one hand and giving developer much more flexibility on the other hand. But your (mine, others) server must be 5.3+ loaded and this is not yet so common situation. For example, my home account ISP told that there will be no 5.3 before beginning of 2011 as he need to give people enough time to update their scripts to the new interpreter version. Now, it is only less then month to that, but when he announced that in late March 2010, it looked like quite a long time period.

As said, first thought. That’s why I started to look for alternatives. I later realized there’s no difference.

Why do you think I tried it with an older PHP version. PHP docs clearly states 5.3+.

BTW. Do you seriously think I suggested nested evals as a best solution. Obviously it can do the job, no promise it will. I could intuitively foresee possible problems due to the uncommon usage of eval and would have expected some enlightening comments in this forum.


Well, that seems to be good! :] I came from an old school, where I was told that using eval is evil, no matter what. Therefore I’m happy that my server package is already updated to PHP 5.3.1, so I can use anonymous functions and forgot about all the eval stuff. Cheers.