I am trying do store a function in a file and extract to run when needed, but I cannot find a better way to do so.
This is what I’ve tried:
function store_callable(string $func)
{
writefile($func);
}
eval(readfile());
My first concern is the type of the parameter $func. I’m expecting to receive only callable as argument, but I can’t find a way to convert a PHP callable into string to save.
Secondly, although eval() is used here to run the saved function, I wondered if there’s a better way of doing that, although seems there’s no.
I don’t think it’s a kind of serialization but it seems they have similarities so I added the tag still.
EDIT:
My original idea was to create a notification system that pushes messages to a user’s specific account. However, some notifications are specifically pushed only to one device or IP. Which means I need a filter function for that. I can actually complete this by using a new property like restricted-to but I wanted to make a more general field filter-function in the notification object which returns a boolean and lets the system decide whether to push the notification on this load.
EDIT2:
I CAN actually directly code them in the PHP file, but it will become messy, as different notification has different filter to decide whether they are pushed or not, I can give u an example:
new Notification("message");
class Notification
{
public function push_or_not()
{
if($this->isabout== "login" && checkIP())
{
\ sth
}
else if()
else if()
//and so on
}
}
This can actually run and avoid security risks. But this isn’t general enough. Meaning that I need to edit the if-else here at first, and create a new type property here.
I’m just asking whether the initial more general filter function (cuz I can define it in EACH notification but here I can just add the type and relate it to the type) stored directly in notification data is better (and any improvements) or the latter one here is better.
It seems there’s not much security risk here as the code here isn’t related to user input.
2
Answers
You don’t really need dynamic code for this at all.
One way to make the feature neater and easier to maintain and test – as well as removing any potential security risks associated with the use of
eval()– could be to make each notification type a sub-class of theNotificationclass, with its own definition of thepush_or_not()function overriding the parent class’s definition, so the logic for each type is held and implemented separately.A very simple example:
Remember a class is a bit like a template which you declare in advance, before you actually run the code, and then you can create as many copies ("instances") of it as you need at runtime. Then the instances you create can all have different data values, but share the same code logic. So you end up with one class for each type of notification, and your code can then create as many instances of the class as it needs – i.e. one instance for each individual notification of that type.
This sounds really dangerous, but that aside, why not just include the file. This will run any code in it.
NOTE:
This is a truly bad idea if you dont know who is writing the PHP code as the code itself will have full control over your code and the server it is running on.