On Mon, August 13, 2007 8:03 am, Chris Boget wrote: > Currently, I have an XML file that I load in, parse manually and > iterate > through the nodes to create objects, etc, using the node values as > parameters. This works all well and fine but is a little resource > intensive. > > Now, I can create a XSL template to transform the XML file and output > all the PHP code that we are doing manually. However, when the > transformation occurs, the result is pretty much just a string as far > as > PHP is concerned; it isn't executable PHP code. > > I know I can output the result to a temporary file then include it or > I > can pass the result to eval() to execute the code, but neither is > ideal. > Is there another way I can do what I need? Is there a way to > 'include' > (for the lack of a better term) the result of the XSL transformation > such that PHP processes it as it would any other source code? 99.9% of the time, eval is the wrong answer. You may have found one of the 0.1% of the times where it is the right answer. :-) That said, you would want to be EXTREMELY security-conscious of how the XML is generated and read, if you are going to execute it as PHP, regardless of whether it's via include or eval. You wouldn't want a giant gaping hole for Bad Guys to cram random bits of PHP source into your server to be executed, eh? Though, I guess if you are validating the XML with an XSLT, you have a fairly good choke-hold at that point. Just be thinking about how else the Bad Guy could inject some PHP code -- Perhaps as some CDATA or, if you use a /tmp/ file and include, by replacing your /tmp/ file with their own contents. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
