Home/ Questions/Q 8575293
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T19:39:39+00:00

I store my sql queries as strings and then use them later in PDO

  • 0

I store my sql queries as strings and then use them later in PDO as shown below.

There is one line that I don’t understand:

eval("\$query = \"$query\";");

From the docs..eval should run a string as PHP code. Why can’t I just use $query directly? What does it mean to run a string of SQL?

This code works. I just don’t know what eval() statement is for.

Note this is safe eval() as the input is not user defined.

    "arc_id" =>                 "SELECT id FROM credentials WHERE email=?",
    "arc_id_from_hash" =>       "SELECT id FROM credentials WHERE pass=?",
    "signin_pass" =>            "SELECT pass FROM credentials WHERE email=?",
    "signin_validate" =>        "SELECT id, hash FROM credentials WHERE email=? AND pass=?"
);
public function __construct()  
{
    $this->db_one = parent::get();
}
public function _pdoQuery($fetchType, $queryType, $parameterArray=0) // needs review
{
    $query=$this->sql_array[$queryType];

    // what?

    eval("\$query = \"$query\";");

    // if not input parameters, no need to prep

    if($parameterArray==0)
    {
        $pdoStatement = $this->db_one->query($query);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    eval("\$query = \"$query\";");

    This is a variable replacer/templating engine.

    It is replacing variables inside $query with their values.

    I suggest not using eval for this, it’d probably be better to use preg_replace or str_replace.

    For reference, here’s a question I asked: PHP eval $a="$a"?

    • 0