The Eval function is a function in PHP that is not a function of the system component, and the disable_functions in php.ini cannot be banned because it is not a php_function.
eval () for PHP security has a lot of damage generally not used in cases in order to prevent
The code is as follows |
Copy Code |
|
Usage examples
The code is as follows |
Copy Code |
$string = ' Cup '; $name = ' coffee '; $str = ' This $string contains $name. '; Echo $str; Eval ("$str =" $str ";"); Echo $str; ?>
|
This example returns a value of
The $string is fitted with a $name.
The cup is filled with coffee.
Or more advanced point is
The code is as follows |
Copy Code |
$str = "Hello World"; For example, this is a meta-calculation. $code = "Print (' n$strn ');"; /This is the PHP code stored in the database Echo ($code);//After printing the combined command, the STR string is substituted, forming a full PHP command, but is not executed eval ($code);//execute this command. ?>;
|
Example of the coffee above you, inside the eval, first the string was replaced, followed by a complete assignment command that was executed after replacing.
This little pony must be banned from the door.
Online many say using disable_functions to forbid eval is wrong
In fact, Eval () is unable to use php.ini in the Disable_functions Forbidden because eval () is a language construct and not a function
Eval is Zend, not php_function function;
How does PHP prohibit eval:
If you want to ban eval, you can use PHP extensions Suhosin
After installing the Suhosin
PHP.ini load comes in suhosin.so plus suhosin.executor.disable_eval = On
Summary, PHP eval function cannot be disabled in PHP and we only use plugins.
http://www.bkjia.com/PHPjc/632829.html www.bkjia.com true http://www.bkjia.com/PHPjc/632829.html techarticle The eval function is a function in PHP that is not a function of the system component, and the disable_functions in php.ini cannot be banned because it is not a php_function. eval () for ph ...