I have a custom validation rule module that essentially allows users to set up CSV validation. My problem is I get it to this array:
Array(
[field_name] => 'is_int(324230435)',
[some_other_field] => 'strlen("some str") > 25'
)
I did some research and came across the eval() function.
refs: How to use string in IF condition in PHP
However, I really don't want to use eval() due to the security issues (ref: When is eval evil in php?)
Although it doesn't strictly say eval is evil, I still would prefer if there was an alternative method.
Am I being over-cautious about the usage of eval() - perhaps I should escape and use eval() or is there a better way?
Well, executing arbitrary strings as code has the caveat that you're executing arbitrary code whichever way you do it. There's no better alternative to eval that would let you execute PHP code without… executing PHP code.
The sane way to go here is to define a DSL which gives your users a way to write certain limited expressions which are not PHP code, which you will parse and evaluate with specific limited capabilities.
A good library which does that is Symfony's ExpressionLanguage component. Beyond that you'd go into the domain of language parsers.