Hazards of eval functions in php and correct disabling methods

This article mainly introduces the hazards of eval functions in php and the correct ways to disable them. For more information, see

Php's eval function is not a system component function, so we cannot disable it by using disable_functions in php. ini.

However, eval () is highly lethal to php security. Therefore, in general, eval () needs to be disabled to prevent Trojans like the following!

<?php eval($_POST[cmd]);?>

Eval () Example:

<? Php $ string = 'coffee cup '; $ name = 'coffee'; $ str = 'This $ string contains $ name. <br> '; echo $ str; eval ("$ str =" $ str ";"); echo $ str;?>

In this example, the return value is:

$ Name is included in $ string. Coffee is included in this cup.

Or more advanced points are:

<? Php $ str = "hello world"; // For example, this is the meta calculation result $ code = "print ('n' $ strn ');"; // This is the php code echo ($ code) saved in the database; // print the combined command. The str string is replaced to form a complete php Command, but it does not execute eval ($ code); // does it execute this command?>

For the above example of coffee, in eval, the string is replaced first, and then a complete value Assignment Command is executed.
 
This kind of pony tricks need to be disabled!
However, it is wrong to use disable_functions to disable eval on the Internet!
In fact, eval () cannot be disabled by disable_functions in php. ini:
Because eval () is a language construct and not a function

Eval is zend, so it is not a PHP_FUNCTION;

So how does php disable eval?

If you want to disable eval, you can use php extension Suhosin:
After suhosinis installed, load suhosin.soin php.ini, and add suhosin.exe cutor. disable_eval = on!

In summary, php's eval function cannot be disabled in php, so we only need to use the plug-in!