Part 2: Injections of many enzymes

The concrete setup and its result

{[ 3 | .last-comments(1) | .comment-template | .show-comments(2) ]} (i-1)

Let’s get down to the nitty-gritty and see what the custom fields in the enzymes of (i-1) really contain.


Before executing the code from a custom field, Nzymes pops as many items as indicated between the parentheses of the execution enzyme and puts them into the ´$arguments´ array, from which the code can easily be read, for example using a ´list´ assignment.

The value returned from the code of an execution enzyme should never be ´false´ unless you want Nzymes to consider that the execution failed. This limitation is due to the fact that ´eval´ returns ´false´ in case of error and, as a consequence, Nzymes uses it as an error too.

list( $number ) = $arguments;
$result = get_comments(array('number' => $number));
return $result;

  • line 1: In ´number´ we get the popped value, i.e. ´3´.
  • line 2: The ´get_comments´ function belongs to WordPress. It accepts many many options to help you find comments, but in this example we use a very basic ´’number’´ option. It returns an array of comment objects.


Keep in mind that Nzymes injections create content of a post. That means that any value replacing an injection will be treated by WordPress as content and will continue to be filtered as such. For example, also ´‘wpautop’´ will get a chance at it. That means that new lines in the template will be converted to ´<BR>´ tags and ´<P></P>´ elements.

This is quite a standard PHP template. You can find tons of them in the Internet to steal from.

<?php echo $words; ?> words by <em><?php echo htmlspecialchars( substr( $author, 0, 20 ) . (strlen( $author ) > 20 ? ' ...' : '') ); ?></em> at <?php echo $date; ?>

  • ´$author´ is a user supplied value, so we escape it before echoing.
  • As for ´$date´ and ´$words´ we know their values do not contain special HTML characters, so no need to escape anything.


Given that ´comment-template´ is injected by means of a transclusion enzyme, its PHP code is dead code (static). Instead, ´last-comments´ and ´show-comments´ are injected by means of execution enzymes therefore their PHP code is lively code (dynamic).

If there was a processing error, the final value of all the injection would be ´null´, which would cause the injection to be deleted (i.e. replaced by en empty string). You can willfully return ´null´ from the last enzyme, thus causing the injection to be processed and deleted. In case of an error you should be able to see some meaningful message into the JavaScript console. In case you did it willfully, you wouldn’t find any message in the console.

Execution enzymes should never produce output. If they did, it’d be considered an error, and that output would be sent to the JavaScript console for inspection.

list( $comments, $template ) = $arguments;
if ( count( $comments ) == 0 ) {
  return '(Nothing to show.)';

$code = <<<END_CODE
?>$template<?php // at least one space after php

$result = array();
foreach ( $comments as $comment ) {
  $author = $comment->comment_author;
  $date = $comment->comment_date_gmt;
  $words = str_word_count( $comment->comment_content );

  $success = eval( $code );
  $output = ob_get_clean();

  $result[] = false === $success ? $this->php_lint( $code ) : $output;
$result = implode( "n", $result );
return $result;

  • line 1:
    • In ´comments´we get the first of the two popped items, which is the array of comments resulting from ´last-comments´ execution.
    • In ´template´ we get the second of the two popped items, which is the template from ´comment-template´ transclusion.
  • line 6-8:
    • This is the code for evaluating an HTML template with embedded PHP. This hypothesis is important because ´eval´ expects its code to be pure PHP, so to make a template work as HTML should, we need first to leave the PHP mode, then put the HTML template, then enter the PHP mode again.
    • The space after ´?>$template<?php´ is crucial. If you put a new line character immediately after, then ´eval´ would just break without any error. If you wrapped that expression into double quotes and put the closing quote immediately after, then ´eval´ would just break without any error. It took me hours to find out.
  • line 12-14: We initialize the variables that appear in the template.
  • line 16-18: We buffer the output and store it after evaluating the code.
  • line 20:
    • We set ´result[]´ to the error message in case of an error, otherwise we set it to the output.
    • I advise you to do evaluations like I show you here. While it is Nzymes which takes care of the evaluation of the code into a custom field, you are supposed to take care of any evaluation of code you may make. ´eval´ returns ´false´ on error, so, if you never ever return ´false´yourself, you can be sure that ´false´ is an error. In such a case you can use ´$this->php_lint( $code )´ to get the syntax error.


{[ 3 | .last-comments(1) | .comment-template | .show-comments(2) ]} (i-1)

Last but not least, here is the result of the (i-1) injection… live:

23 words by andrea at 2022-02-13 10:12:37n45 words by Martin at 2022-01-14 04:49:15n6 words by Martin at 2021-12-13 23:48:18

Above you should see the template applied to the last three comments on this blog.

Nzymes | WordPress Plugin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.