The eval function is a function in php and not a system component function. We cannot disable it through disable_functions in php.ini, so it is not a php_function.
eval() is very destructive for PHP security. It is generally not used in order to prevent
The code is as follows
|
Copy code
|
代码如下 |
复制代码 |
$string = '杯子';
$name = '咖啡';
$str = '这个 $string 中装有 $name. ';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>
|
Usage Example
The code is as follows
|
Copy code
代码如下 |
复制代码 |
$str="hello world"; //比如这个是元算结果
$code= "print('n$strn');";//这个是保存在数据库内的php代码
echo($code);//打印组合后的命令,str字符串被替代了,形成一个完整的php命令,但并是不会执行
eval($code);//执行了这条命令
?>;
|
|
$string = 'cup';
$name = 'coffee';
$str = 'This $string contains $name. ';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>
The return value in this example is
This $string contains $name.
This cup contains coffee.
Or more advanced is
The code is as follows
|
Copy code
|
$str="hello world"; //For example, this is the result of yuan calculation |
$code= "print('n$strn');";//This is the php code saved in the database
echo($code);//Print the combined command, the str string is replaced, forming a complete php command, but it will not be executed
eval($code);//Executed this command
?>;
In your coffee example above, in eval, first the string is replaced, and secondly, after the replacement, a complete assignment command is executed.
Ponies like this smashing into doors need to be banned
Many people on the Internet say that using disable_functions to disable eval is wrong
In fact, eval() cannot be disabled using disable_functions in php.ini because eval() is a language construct and not a function
eval is zend, not a PHP_FUNCTION function;
How to disable eval in php:
If you want to disable eval, you can use the php extension Suhosin
After installing Suhosin
Load Suhosin.so in php.ini and add suhosin.executor.disable_eval = on then
To summarize, the php eval function cannot be disabled in php and we can only use plug-ins
http://www.bkjia.com/PHPjc/632829.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632829.htmlTechArticleThe eval function is a function in php and not a system component function. Our disable_functions in php.ini cannot It is prohibited because it is not a php_function. eval() for ph...
|
|