// Custom test runner $code = '$result = 2 + 2; file_put_contents("output.txt", $result);'; $descriptors = [ 0 => ['pipe', 'r'], // stdin 1 => ['pipe', 'w'], // stdout ]; $process = proc_open( 'php vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php', $descriptors, $pipes ); fwrite($pipes[0], $code); fclose($pipes[0]); echo stream_get_contents($pipes[1]); proc_close($process); The original eval-stdin.php has poor error handling. A "better" version might look like this:
try eval('?>' . $code); catch (Throwable $e) fwrite(STDERR, "Evaluation error: " . $e->getMessage() . "\n"); exit(1); // Custom test runner $code = '$result =
Now go forth, write better tests, and leave dangerous eval() calls where they belong—inside your development environment. Have you encountered a security issue related to exposed vendor directories? Share your story in the comments below. $e->getMessage()
echo 'echo "Hello from PHPUnit Utility";' | php vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php It allows you to test the exact process isolation logic that PHPUnit uses without running a full test suite. 2. Dynamic Code Injection in Custom Test Suites If you are building a meta-testing framework, you can use this script to execute arbitrary code in a separate process. Share your story in the comments below
You should never expose your vendor directory to the public web. Part 4: Using eval-stdin.php Better (The Ethical Way) How can we use this tool better ? Instead of relying on it as a hack, let’s look at three legitimate, advanced use cases. 1. Manual Execution for Debugging You can invoke eval-stdin.php directly from the CLI for quick sandbox testing.