This article mainly introduces the hazards of eval functions in php and the correct ways to disable them. For more information, see
Php's eval function is not a system component function, so we cannot disable it by using disable_functions in php. ini.
However, eval () is highly lethal to php security. Therefore, in general, eval () needs to be disabled to prevent Trojans like the following!
<?php eval($_POST[cmd]);?>
Eval () Example:
<? Php $ string = 'coffee cup '; $ name = 'coffee'; $ str = 'This $ string contains $ name. <br> '; echo $ str; eval ("$ str =" $ str ";"); echo $ str;?>
In this example, the return value is:
$ Name is included in $ string. Coffee is included in this cup.
Or more advanced points are:
<? Php $ str = "hello world"; // For example, this is the meta calculation result $ code = "print ('n' $ strn ');"; // This is the php code echo ($ code) saved in the database; // print the combined command. The str string is replaced to form a complete php Command, but it does not execute eval ($ code); // does it execute this command?>
For the above example of coffee, in eval, the string is replaced first, and then a complete value Assignment Command is executed.
This kind of pony tricks need to be disabled!
However, it is wrong to use disable_functions to disable eval on the Internet!
In fact, eval () cannot be disabled by disable_functions in php. ini:
Because eval () is a language construct and not a function
Eval is zend, so it is not a PHP_FUNCTION;
So how does php disable eval?
If you want to disable eval, you can use php extension Suhosin:
After suhosinis installed, load suhosin.soin php.ini, and add suhosin.exe cutor. disable_eval = on!
In summary, php's eval function cannot be disabled in php, so we only need to use the plug-in!