The harm of eval function in PHP and the method of correct disabling

Reprint Address: http://www.myhack58.com/Article/60/61/2014/50632.htm
The eval function of PHP is not a system component function, so we cannot prohibit it by using disable_functions in php.ini.

But eval () for PHP security has a lot of damage, so generally do not use the case in order to prevent similar to the following sentence Trojan invasion, need to prohibit!

<?php eval ($_post[cmd]);? >

Eval () Usage Example:

<?php
$string = ' Cup ';
$name = ' coffee ';
$str = ' This $string contains $name .<br> ';
Echo $str;
Eval ("$str =" $str ";");
Echo $str;
?>

The return value for this example is:

The $string is fitted with a $name.
The cup is filled with coffee.

Or more advanced points are:

<?php
$str = "Hello World"; For example, this is a meta-calculation.
$code = "Print (' n$strn ');"; /This is the PHP code stored in the database
Echo ($code);//After printing the combined command, the STR string is substituted, forming a full PHP command, but is not executed
eval ($code);//execute this command.
?>

For an example of the above coffee, in Eval, the string was replaced first, followed by a complete assignment command that was executed after replacing.

This kind of pony hit the door of the situation is to be banned!
However, many online say that using disable_functions to prohibit the Eval method is wrong!
In fact, Eval () is not allowed in the php.ini disable_functions:
Because Eval () is a language construct and not a function

Eval is Zend and therefore not a php_function function;

So how does PHP prohibit eval?

If you want to disable eval, you can use PHP's extension suhosin:
After installing Suhosin in php.ini load comes in suhosin.so, plus suhosin.executor.disable_eval = on can!

To summarize, PHP's eval function cannot be disabled in PHP, so we only use plugins!

The harm of eval function in PHP and the method of correct disabling