Xtreme additions

[Jackolantern]

It is definitely not good practice. Storing code separately from the a web application and using a dynamic command to parse and run it (with the code passed in as a string) is generally considered unsafe and also very difficult to debug and maintain. If a user ever figured out how to get their own strings into that command, they could potentially have total control of your server if it was not secured properly (giving the script-running SQL user accounts minimum privileges, locking out command-line access to the Apache users, etc.).

[Jackolantern]

I don't see as much problem with that, but it seems things could still be better laid-out. Instead of having IF statements that load files, a better alternative would likely be to have IF statements create objects that contain the code you would want to run. That would make it more debuggable and maintainable.

[Jackolantern]

Again, its not really unsafe, per se, as tons of popular PHP applications are filled to the brim with requires. I think it more depends on how you implement it. If the editor is going to be tied into the game that is created, and users can use a form submission box to upload PHP scripts to add functionality and that page is just hidden behind a password, that would be a large security risk. But if all of the separate files would just be added in to specific folders designed for user-created content, and no editing abilities exist once the application is deployed, that would be fine, and many existing applications are built that way. I would just suggest to stay away from any kind of dynamic loading all-together.