8

There is a known way to include a file and capture its contents into a string while loading.

$string = get_include_contents('somefile.php');
function get_include_contents($filename) {
if (is_file($filename)) {
        ob_start();
        include $filename;
        return ob_get_clean();
    }
    return false;
}

https://www.php.net/manual/en/function.include.php

Is there a way to "include" contents loading them from a string instead of a file?

I mean something like this:

$string = file_get_contents("file.php");
include_from_string($string);
Improve this question
2
  • 2
    There's eval(). It's possibly a terrible idea. Commented Jan 28, 2014 at 16:06
  • try eval() is the best choice Commented Jan 28, 2014 at 16:09

5 Answers 5

Reset to default
11

If you want the string to be parsed as PHP code, just like the contents of a file loaded with include(), then the function you need is eval().

Note that, unlike code loaded by include(), code executed by eval() automatically starts in PHP mode, so you don't need to (and shouldn't!) prefix it with <?php. If you want to emulate the behavior of include() exactly, you can prefix the string to be eval()ed with ?> to leave PHP mode:

$string = file_get_contents( 'somefile.php' );
eval( '?>' . $string );

Also note that eval() is a very dangerous function to play with! While in this specific case it shouldn't be any more risky than include() itself is, using eval() on any string that might even possibly contain unsanitized (or insufficiently sanitized) user input is extremely dangerous, and may be exploited by attackers to execute malicious code on your system and thereby gain control of it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The eval() method is pretty raw, but it seems that there is not any other way. Thanks.
4

This might not be what you are looking for but I got "work around" for it.

Just create temporary file with tempnam() which you will include and then unlink().

$path = "somefile.php";
$stringFile = file_get_contents($path);
$pathTmp = tempnam("tmp/", ""); // you pass directory in which you will store tmp files for me it's "tmp/"
$file = fopen($pathTmp, "w+");
fwrite($file,$widget);
fclose($file);
include $pathTmp; // include the file, and PHP will be automatically parsed
unlink($pathTmp); // delete file

THIS IS WRONG:

I'm not sure if it's good practice (but hack damn, it's simple) because no one suggested it but it's better then eval() which is basically "code hazard".

THIS IS RIGHT:

As @Chris Harrison commented this is security risk and it's equal to eval(). So you could basically do this:

eval($string);
Improve this answer

2 Comments

The security implications of taking some arbitrary code and eval'ing it vs saving it to a file and include'ing it are exactly the same.
This is okay because your code won't contain an eval, it is a proper alternative.
0

This is a simple example for you, if you pass inside the eval() this will execute the code in the string variable.

<?php 

//here your PHP Code goes
$string = get_include_contents('somefile.php');

//evaluating the string this will work
eval($string); //output
Improve this answer

Comments

0

This is not equivalent to using include. Here's the problem: eval() takes the provided PHP, and executes it in the current environment. Thus, any globals, functions, classes, what-not, you have defined prior to the eval() are available for the processor. This is all good, and, upon return, the only thing left of the original (evel'd) string are the results of any echo (or equivalent) statements.

This is NOT the same as an include. There the file contents are merged with your source code and that is passed to eval(). Very, very different. The easiest way to see this is to define your string as 'class fu { static function bar() { echo "wow"; } ]' Put this in a file and call fu::bar() and you'll get 'wow' displayed. At the same point in your code, if you do an eval('class fu ...') and call fu::bar() from your code you'll get "Fatal error: Call to private method fu::bar() from context ..."

But, as long as you don't need to interact with the 'include' the results will appear the same.

Improve this answer

Comments

-1

Just echo whatever you want instead of include inside your function!

UPDATE

Your function should look like this:

$string = "Whatever";
$str = get_var($string);
function get_var($str) {
ob_start();
echo $str;
return ob_get_clean();
}
Improve this answer

4 Comments

once you read the file that's considered as string. simple echo won't help you in this case
What do you mean? You are buffering the output, what's wrong with that?
check the below answer and inline comments FYI
ooh, i didn't notice he is willing to evaluate the contents! my bad.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.