Using Eval to include remote php file

Question

I just wanted to keep all my code libraries (PHP Classes; ex: http://libraries.com/form.php) on a single server for easy maintenance and availability. Wherever I need to use this library; I'd just include it in my code. But; I know; enabling remote URL include isn't safe at all. So I found a work around.

I'd just use eval( file_get_contents( 'http://libraries.com/form.txt' ). I use .txt instead of .php so I get PHP code as it is; not a blank file returned by server after PHP is processed.

This works; I get my PHP library/class and I can play with it on a remote location. But I don't know if it is safe or not. What could be pros and cons of this way. Or what other way you can suggest me to achieve this safely?

Answer 1

This:

• Has all the security downsides of includeing remote files
• Is massively inefficient due to all the extra HTTP requests
• Means that a new release of a library gets deployed without being tested against the rest of the code in an application
• Adds an extra point of failure for the application

Don't do this. It is a terrible idea.

Installation of dependencies should be a feature of your install script, not the application itself.