Home >Backend Development >PHP Tutorial >Introduction to correct disabling of eval function and misunderstandings in PHP_PHP Tutorial

Introduction to correct disabling of eval function and misunderstandings in PHP_PHP Tutorial

WBOY
WBOYOriginal
2016-07-13 10:47:441109browse

The eval function is a function in php and not a system component function. We cannot disable it through disable_functions in php.ini, so it is not a php_function.

eval() is very destructive for PHP security. It is generally not used in order to prevent

The code is as follows
 代码如下 复制代码

Copy code

 代码如下 复制代码


$string = '杯子';
$name = '咖啡';
$str = '这个 $string 中装有 $name.
';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>




Usage Example

The code is as follows
Copy code
 代码如下 复制代码
$str="hello world"; //比如这个是元算结果
$code= "print('n$strn');";//这个是保存在数据库内的php代码
echo($code);//打印组合后的命令,str字符串被替代了,形成一个完整的php命令,但并是不会执行
eval($code);//执行了这条命令
?>;

$string = 'cup';

$name = 'coffee';

$str = 'This $string contains $name.
'; echo $str;

eval( "$str = "$str";" );
echo $str;

?>

The return value in this example is

This $string contains $name.

This cup contains coffee.

Or more advanced is

$code= "print('n$strn');";//This is the php code saved in the database echo($code);//Print the combined command, the str string is replaced, forming a complete php command, but it will not be executed
The code is as follows Copy code

$str="hello world"; //For example, this is the result of yuan calculation
eval($code);//Executed this command

?>;

In your coffee example above, in eval, first the string is replaced, and secondly, after the replacement, a complete assignment command is executed. Ponies like this smashing into doors need to be banned Many people on the Internet say that using disable_functions to disable eval is wrong In fact, eval() cannot be disabled using disable_functions in php.ini because eval() is a language construct and not a function eval is zend, not a PHP_FUNCTION function;
How to disable eval in php:
If you want to disable eval, you can use the php extension Suhosin After installing Suhosin Load Suhosin.so in php.ini and add suhosin.executor.disable_eval = on then To summarize, the php eval function cannot be disabled in php and we can only use plug-ins http://www.bkjia.com/PHPjc/632829.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632829.htmlTechArticleThe eval function is a function in php and not a system component function. Our disable_functions in php.ini cannot It is prohibited because it is not a php_function. eval() for ph...

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn