Eval () has a lot of lethality for PHP security. In general, to prevent
The code is as follows |
Copy Code |
<?php eval ($_post[cmd]);? > |
Usage examples
The code is as follows |
Copy Code |
<?php $string = ' Cup '; $name = ' coffee '; $str = ' This $string is fitted with $name .<br> '; Echo $str; Eval ("$str =" $str ";"); Echo $str; ?>
|
The return value for this example is
$name is fitted in this $string.
This cup contains coffee.
Or the more advanced point is
The code is as follows |
Copy Code |
<?php $str = "Hello World"; For example, this is a meta-calculation result. $code = "Print (' n$strn ');"; /This is the PHP code stored in the database Echo ($code);//Print after the combination of the command, the STR string is substituted to form a complete PHP command, but is not executed eval ($code);//execute this command ?>;
|
The example of your coffee above, in the eval, first the string is replaced, and then a complete assignment command is executed after the replacement is completed.
A pony like this needs to be banned from breaking the door.
It's wrong to say that using disable_functions to ban Eval is a lot on the web.
In fact, eval () cannot be banned with disable_functions in php.ini because Eval () is a language construct and not a function
Eval is Zend, not php_function function;
How does PHP prohibit eval:
If you want to ban eval, you can use PHP extensions Suhosin
After installing the Suhosin
PHP.ini load comes in suhosin.so plus suhosin.executor.disable_eval = on
To summarize, the PHP eval function is not disabled in PHP and we only use Plug-ins.