Harm of eval Function in php and Correct Disabling Method
- 2021-07-06 10:31:31
- OfStack
The eval function of php is not a system component function, so we cannot disable it by using disable_functions in php. ini.
But eval () for php security has a great lethality, so in order to prevent similar to the following 1 sentence Trojan invasion, need to prohibit!
<?php eval($_POST[cmd]);?>
Use example of eval ():
<?php
$string = ' Cup ';
$name = ' Coffee ';
$str = ' This $string Installed in $name.<br>';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>
The return value of this example is:
This $string Installed in $name.
This Cup Installed in Coffee .
Or more advanced is:
<?php
$str="hello world"; // For example, this is the result of meta-calculation
$code= "print('n$strn');";// This is stored in the database php Code
echo($code);// Print the combined command ,str The string has been replaced , Form 1 A complete php Command , But it will not be implemented
eval($code);// Executed this order
?>
For the coffee example above, in eval, first the string is replaced, and then a complete assignment command is executed after the replacement.
This kind of pony smashing the door needs to be banned!
However, many people on the Internet say that using disable_functions to prohibit eval is wrong!
In fact, eval () cannot be disabled with disable_functions in php. ini:
because eval() is a language construct and not a function
eval is zend's and is therefore not an PHP_FUNCTION function;
So how does php ban eval?
If you want to disable eval, you can use Suhosin, an extension of php:
After installing Suhosin, enter Suhosin. so in php. ini, and add suhosin. executor. disable_eval = on!
To sum up, the eval function of php cannot be disabled in php, so we have to use plug-ins!