Harm of eval Function in php and Correct Disabling Method

The eval function of php is not a system component function, so we cannot disable it by using disable_functions in php. ini.

But eval () for php security has a great lethality, so in order to prevent similar to the following 1 sentence Trojan invasion, need to prohibit!

<?php eval($_POST[cmd]);?>

Use example of eval ():

<?php
$string = ' Cup ';
$name = ' Coffee ';
$str = ' This  $string  Installed in  $name.<br>';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>

The return value of this example is:

 This  $string  Installed in  $name.
 This   Cup   Installed in   Coffee .

Or more advanced is:

<?php
$str="hello world"; // For example, this is the result of meta-calculation 
$code= "print('n$strn');";// This is stored in the database php Code 
echo($code);// Print the combined command ,str The string has been replaced , Form 1 A complete php Command , But it will not be implemented 
eval($code);// Executed this order 
?>

For the coffee example above, in eval, first the string is replaced, and then a complete assignment command is executed after the replacement.

This kind of pony smashing the door needs to be banned!
However, many people on the Internet say that using disable_functions to prohibit eval is wrong!
In fact, eval () cannot be disabled with disable_functions in php. ini:
because eval() is a language construct and not a function

eval is zend's and is therefore not an PHP_FUNCTION function;

So how does php ban eval?

If you want to disable eval, you can use Suhosin, an extension of php:
After installing Suhosin, enter Suhosin. so in php. ini, and add suhosin. executor. disable_eval = on!

To sum up, the eval function of php cannot be disabled in php, so we have to use plug-ins!