PHP correctly disables Eval function and misleading introduction

Eval () has a lot of lethality for PHP security. In general, to prevent

The code is as follows	Copy Code
<?php eval ($_post[cmd]);? >

Usage examples

The code is as follows	Copy Code
<?php $string = ' Cup '; $name = ' coffee '; $str = ' This $string is fitted with $name .<br> '; Echo $str; Eval ("$str =" $str ";"); Echo $str; ?>

The return value for this example is
$name is fitted in this $string.
This cup contains coffee.

Or the more advanced point is

The code is as follows	Copy Code
<?php $str = "Hello World"; For example, this is a meta-calculation result. $code = "Print (' n$strn ');"; /This is the PHP code stored in the database Echo ($code);//Print after the combination of the command, the STR string is substituted to form a complete PHP command, but is not executed eval ($code);//execute this command ?>;

The example of your coffee above, in the eval, first the string is replaced, and then a complete assignment command is executed after the replacement is completed.

A pony like this needs to be banned from breaking the door.

It's wrong to say that using disable_functions to ban Eval is a lot on the web.
In fact, eval () cannot be banned with disable_functions in php.ini because Eval () is a language construct and not a function

Eval is Zend, not php_function function;

How does PHP prohibit eval:

If you want to ban eval, you can use PHP extensions Suhosin

After installing the Suhosin

PHP.ini load comes in suhosin.so plus suhosin.executor.disable_eval = on

To summarize, the PHP eval function is not disabled in PHP and we only use Plug-ins.