Re: [PHP] Generating executable code

On Mon, August 13, 2007 8:03 am, Chris Boget wrote:
> Currently, I have an XML file that I load in, parse manually and
> iterate
> through the nodes to create objects, etc, using the node values as
> parameters. This works all well and fine but is a little resource
> intensive.
>
> Now, I can create a XSL template to transform the XML file and output
> all the PHP code that we are doing manually. However, when the
> transformation occurs, the result is pretty much just a string as far
> as
> PHP is concerned; it isn't executable PHP code.
>
> I know I can output the result to a temporary file then include it or
> I
> can pass the result to eval() to execute the code, but neither is
> ideal.
> Is there another way I can do what I need? Is there a way to
> 'include'
> (for the lack of a better term) the result of the XSL transformation
> such that PHP processes it as it would any other source code?

99.9% of the time, eval is the wrong answer.

You may have found one of the 0.1% of the times where it is the right
answer. :-)

That said, you would want to be EXTREMELY security-conscious of how
the XML is generated and read, if you are going to execute it as PHP,
regardless of whether it's via include or eval.

You wouldn't want a giant gaping hole for Bad Guys to cram random bits
of PHP source into your server to be executed, eh?

Though, I guess if you are validating the XML with an XSLT, you have a
fairly good choke-hold at that point.

Just be thinking about how else the Bad Guy could inject some PHP code
-- Perhaps as some CDATA or, if you use a /tmp/ file and include, by
replacing your /tmp/ file with their own contents.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?