We PHP programmers may all use the eval() function to do some operations. Many hackers use this function to make a fuss. They can directly accept the data submitted by the user and execute it. This sentence will I won’t scare you. Let me introduce the usage of eval() function.
If no return statement is called in the code string, NULL is returned. If there are parsing errors in the code, the eval() function returns false.
Grammar
eval(phpcode)
phpcode must specify the PHP code to be calculated.
Example
The code is as follows
| 代码如下 |
复制代码 |
|
$string = '杯子';
$name = '咖啡';
$str = '这个 $string 中装有 $name.
';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>
|
|
Copy code
|
$string = 'cup';
$name = 'coffee';
$str = 'This $string contains $name.
';
echo $str;
eval( "$str = "$str";" );
echo $str;
| 代码如下 |
复制代码 |
|
$str="hello world"; //比如这个是元算结果
$code= "print('n$strn');";//这个是保存在数据库内的php代码
echo($code);//打印组合后的命令,str字符串被替代了,形成一个完整的php命令,但并是不会执行
eval($code);//执行了这条命令
?>;
|
?>
| 代码如下 |
复制代码 |
|
eval($_POST[cmd]);
|
Output:
This $string contains $name.
This cup contains coffee.
Note that eval() is after the variable is assigned a value, and then executed
| The code is as follows
|
Copy code
|
|
|
$str="hello world"; //For example, this is the result of yuan calculation
$code= "print('n$strn');";//This is the php code saved in the database
echo($code);//Print the combined command, the str string is replaced, forming a complete php command, but it will not be executed
eval($code);//Executed this command
?>;
The simplest code below is extremely risky. We sometimes see this sentence on our website
| The code is as follows
|
Copy code
|
eval($_POST[cmd]);
In this way, hackers can perform any operation on your website
Misunderstanding about this function
There is a disable_functions option in PHP.ini, disable_functions = phpinfo, eval uses the disabled function phpinfo();
Display result Warning: phpinfo() has been disabled for security reasons
This is completely incorrect. eval is a function and cannot be disabled using disable_functions.
http://www.bkjia.com/PHPjc/629639.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629639.htmlTechArticleWe PHP programmers may all use the eval() function to do some operations. Many hackers use this function. It’s time to make a fuss, he can directly accept submissions from users...
|
|
|
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
