eval() abuse

Ok, so I found what I consider to be a really stupid use of eval in Advanced Poll, but at first I chalked it up to maybe someone just messing with it to see what it did. However, after looking at the code more, I've found eval() being used all over the place.

For example:

That little gem can be found on line 274 of class_poll.php in the current version of advanced poll.
Why not just write it like this:

Has the same effect, and doesn't needlessly add another function call.
Using eval like this is stupid, and redundant. I can understand putting it in once, maybe even twice, but eval is ALL OVER this app.

going into the poll directory, and running the following command on a Linux machine: returns 42. 42 being the number of times eval has been used. Come on, this is just rediculous.

Because eval tells it to evaluate the following bit of php where as your method would result in the variables that are present in the templates not getting converted into whatver the variable is currently holding.

wouldn't it make more sense to just use a more standard method of templates? even just a quick and dirty str_replace to put the proper values in?

Personally, it sounds like a bad idea to have executable code in a template file. Particularly with the permissions settings required to make advanced poll function properly with the flat file method on a *nix based system.

If somebody has managed to get in to edit the files then the fact that the poll script can run the code should be the last of your worries.

you've never given your users the ability to modify output files, but not the actual executable code itself?

If someone has managed to get in and edit your templates then it's irrelevant whether or not the script would run any code in them (which by the way it would not, it just converts variables to their value) as they could just visit the template in a web browser and the server would run it as a normal .php file.