Php correctly disables eval functions and misunderstandings

The eval function is a function in php and is not a system component function. disable_functions in php. ini cannot be disabled because it is not a php_function.

Eval () is highly lethal for php security. It is generally not used to prevent

The Code is as follows:	Copy code
<? Php eval ($ _ POST [cmd]);?>

Example

The Code is as follows:	Copy code
<? Php $ String = 'cup '; $ Name = 'coffee '; $ Str = '$ name is included in $ string. <br> '; Echo $ str; Eval ("$ str =" $ str ";"); Echo $ str; ?>

In this example, the return value is
$ Name is included in $ string.
The cup contains coffee.

Or more advanced points are:

The Code is as follows:	Copy code
<? Php $ Str = "hello world"; // For example, this is the meta calculation result. $ Code = "print ('n' $ strn');"; // This is the php code stored in the database. Echo ($ code); // print the combined command. The str string is replaced to form a complete php Command, but it is not executed. Eval ($ code); // executed this command ?>;

In the example of coffee above, in eval, the string is replaced first, and then a complete value Assignment Command is executed.

 

This pony should be banned.

It is wrong to use disable_functions to disable eval on the Internet.
In fact, eval () is the because eval () is a language construct and not a function that cannot be disabled by disable_functions in php. ini.

Eval is a zend function, not a PHP_FUNCTION;

Php how to disable eval:

If you want to disable eval, you can use php extension Suhosin.

After Suhosin is installed

Load Suhosin. so in php. ini and add suhosin.exe cutor. disable_eval = on.

In summary, php eval functions cannot be disabled in php, and we only need to use plug-ins.