-2

This code gives the warning of the title. Simplest solution would be to add the single quotes to "not_a_constant". This however break the "eval" I have tried concatenation of strings, etc.

The eval SHOULD NOT BE removed. No auxiliary variables should be used. 

eval('$some_defined_var[not_a_constant] .= "' . some_function('some_string') . '";')

Please try this code defining some dumb vars and functions with php 7.2 to check the warning and possible solutions.

Edit 1)Code standards forbids to use doble quotes for string.s 2)We are trying to avoid scaping the single quotes inside the indexing in the "not_a_constant". This means, what I'm trying to achieve is this:

$some_defined_var['not_a_constant']

voskys
  • 121
  • 1
  • 9
  • 3
    Try adding double-quotes around the array key: `$some_defined_var["not_a_constant"]` – aynber Jul 23 '18 at 16:27
  • Sorry, im adding some edits. code standards forbids: 1)Doble quotes for strings. 2)In this case try not to use \' (scapping single quotes). This means, I need to achieve this: some_defined_var['not_a_constant'] (single quotes) :-) – voskys Jul 23 '18 at 16:31
  • I knows it sucks, just rules hahah, it is a nice exercise anyway – voskys Jul 23 '18 at 16:33
  • 2
    You want to add single quotes within a string, but you aren't allowed to use double quotes or escape single quotes? You're boxing yourself into a corner a bit, here. – iainn Jul 23 '18 at 16:33
  • Inside the indexing, yes, trying to avoid escaping. Outside, in the concatenation, I may use double quotes, escaping, just not inside the indexing. Thanks – voskys Jul 23 '18 at 16:38
  • I don't understand why you can't escape single quotes? The error you are getting is because you aren't telling php you are using a string. When it finds no constant with that name it falls back to using it as a string. – Ryan Matthews Jul 23 '18 at 16:38
  • 8
    Any coding standard that "forbids" something, even at the expense of making code less readable, is a Bad Coding Standard. I'd also argue that applying your coding standards to code *that your code is generating* is a massive waste of everyone's time. Use double quotes around it. – iainn Jul 23 '18 at 16:40
  • 2
    Just in case "eval fine, double-quoted strings banned" isn't already an obviously ridiculous rule, you're seeing this message for the first time in PHP 7.2 because [it was changed from a "notice" to a "warning"](https://wiki.php.net/rfc/deprecate-bareword-strings). Presumably, your coding standard only cares about warnings, but **this code was always wrong**, and would break horribly if anyone wrote `define('not_a_constant', 'something_completely_different')`. This code is so many degrees of broken it's kind of hilarious. – IMSoP Jul 23 '18 at 16:57
  • You have code standards that disallow double quotes, but use `eval`? Sounds like a really laughable standard..... – Nico Haase Jul 24 '18 at 11:35

2 Answers2

2

If you can't escape single quotes and are forbidden to use double quotes, you are left with heredoc and nowdoc. The manual shows you how to use them. For your code you could go with: 

<?php
$some_defined_var['not_a_constant'] = 'old ';

function some_function($a) { return 'New '.$a;}

eval( <<<'EOE'
$some_defined_var['not_a_constant'] .= "
EOE
. some_function('some_string') . '";'
);

var_dump($some_defined_var);

Please note that I normally would not suggest to code anything like this. I'm just applying your restriction. And I fully agree with all the commentators who don't like your coding standard.

jh1711
  • 2,288
  • 1
  • 12
  • 20
0

Based on this comment:

Inside the indexing, yes, trying to avoid escaping. Outside, in the concatenation, I may use double quotes, escaping, just not inside the indexing.

I think one of these might meet your rather arcane rules:

eval('$some_defined_var[' . "'not_a_constant'" . '] .= "' . some_function('some_string') . '";')

eval("\$some_defined_var['not_a_constant'] .= \"" . some_function('some_string') . '";')

It feels like there's some missing context here as to why you're actually using eval, since the example you give could just be rewritten as:

$some_defined_var['not_a_constant'] = (string)some_function('some_string');

Or possibly as:

$some_defined_var['not_a_constant'] = eval('"'. some_function('some_string') . '"');

Since some_function could return code that did whatever it wanted when eval'd, e.g.

function some_function($who_cares) {
    return '"; var_dump($config["database_password"]); "';
}

The rules about double-quotes etc might make sense if we knew which parts were dynamic, because it might be an attempt at securing the eval; but frankly, the only way to secure eval is not to use it.

IMSoP
  • 89,526
  • 13
  • 117
  • 169