The eval function is a function in php and is not a system component function. disable_functions in php. ini cannot be disabled because it is not a php_function.
Eval () is highly lethal for php security. It is generally not used to prevent
The Code is as follows: |
Copy code |
<? Php eval ($ _ POST [cmd]);?> |
Example
The Code is as follows: |
Copy code |
<? Php $ String = 'cup '; $ Name = 'coffee '; $ Str = '$ name is included in $ string. <br> '; Echo $ str; Eval ("$ str =" $ str ";"); Echo $ str; ?>
|
In this example, the return value is
$ Name is included in $ string.
The cup contains coffee.
Or more advanced points are:
The Code is as follows: |
Copy code |
<? Php $ Str = "hello world"; // For example, this is the meta calculation result. $ Code = "print ('n' $ strn');"; // This is the php code stored in the database. Echo ($ code); // print the combined command. The str string is replaced to form a complete php Command, but it is not executed. Eval ($ code); // executed this command ?>;
|
In the example of coffee above, in eval, the string is replaced first, and then a complete value Assignment Command is executed.
This pony should be banned.
It is wrong to use disable_functions to disable eval on the Internet.
In fact, eval () is the because eval () is a language construct and not a function that cannot be disabled by disable_functions in php. ini.
Eval is a zend function, not a PHP_FUNCTION;
Php how to disable eval:
If you want to disable eval, you can use php extension Suhosin.
After Suhosin is installed
Load Suhosin. so in php. ini and add suhosin.exe cutor. disable_eval = on.
In summary, php eval functions cannot be disabled in php, and we only need to use plug-ins.