我可以使用什么代替eval()? [英] What can I use instead of eval()?

问题描述

我有一个字符串，其中存储了一些必须执行才能产生结果的变量，例如:

I have a string that stores some variables that must be executed to produce a result, for example:

define('RUN_THIS', '\$something.",".$somethingElse');

然后eval()会被定位:

$foo = eval("return ".RUN_THIS.";");

我了解，如果要评估的字符串来自用户输入，则eval是不安全的.但是，例如，如果我想让所有东西都在不支持eval()的Facebook HipHop上运行，我将无法执行此操作.

I understand that eval is unsafe if the string that gets evaluated is from user input. However, if for example I wanted to have everything run off Facebook's HipHop which doesn't support eval() I couldn't do this.

显然我可以使用call_user_func()-这实际上与eval()相同吗?如果确实如此，那么在eval()不是的情况下如何被认为是安全的?

Apparently I can use call_user_func() - is this effectively the same result as eval()? How is deemed to be secure when eval() isn't, if that is indeed the case?

修改: 在回应这些评论时，我最初并没有明确目标是什么.常量是预先定义的，以便以后的代码(可以访问配置常量的类或过程代码)可以使用它来评估给定的变量字符串.根据情况，需要求值的变量可以有所不同(完全不同的名称，顺序，格式)，但是出于相同的目的，它以相同的方式运行，这就是为什么我目前在此将变量字符串设置为常量的原因道路.从技术上讲，只要定义常量的config.php被控制，eval()并不是不安全的，但这不是问题的重点.

In response to the comments, I didn't originally make it clear what the goal is. The constant is defined in advance in order that later code, be it inside a class that has access to the configuration constants, or procedural code, can use it in order to evaluate the given string of variables. The variables that need to be evaluated can vary (completely different names, order, formatting) depending on the situation but it's run for the same purpose in the same way, which is why I currently have the string of variables set in a constant in this way. Technically, eval() is not unsafe as long as the config.php that defines the constants is controlled but that wasn't the point of the question.

推荐答案

肯德尔似乎拥有

Kendall seems to have a simple solution, but I'll try to answer your other question:

显然我可以使用call_user_func()-这实际上与eval()的结果相同吗?如果确实如此，那么在eval()不存在时如何被认为是安全的?

Apparently I can use call_user_func() - is this effectively the same result as eval()? How is deemed to be secure when eval() isn't, if that is indeed the case?

实际上，

call_user_func 比eval更安全，因为call_user_func只能调用一个用户函数.另一方面，eval将字符串作为PHP代码本身执行.您可以在字符串的末尾附加';(关闭字符串并开始新的代码行)，然后添加更多代码，添加;'(结束代码行并开始另一个字符串，以便没有语法错误)，因此允许常量RUN_THIS包含用户可以在服务器上运行的许多PHP代码(包括删除所有重要文件和检索数据库信息等).

call_user_func is actually safer than eval because of the fact that call_user_func can only call one user function. eval on the other hand executes the string as PHP code itself. You can append '; (close the string and start a new "line" of code) at the end of the string and then add some more code, add a ;' (end the line of code and start another string so that there is no syntax error), thus allowing the constant RUN_THIS to contain lots of PHP code that the user can run on the server (including deleting all your important files and retrieving information for databases, etc. NEVER LET THIS HAPPEN.

call_user_func不允许他发生.当您运行call_user_func_array($func, $args)时，用户只能运行一组受限制的功能，因为:(a)必须由用户定义功能(b)您可以操纵$func以确保用户无法运行他所能执行的任何功能/she想要通过检查$func是否在允许的函数"列表中，或通过在函数名称和$func变量本身之前添加诸如user_之类的前缀(这样，用户只能运行以<开头的函数c16>.

call_user_func doesn't let his happen. When you run call_user_func_array($func, $args) the user can only run a restricted set of functions because: (a) the function has to be user defined (b) you can manipulate $func to ensure the user isn't able to run any function he/she wants either by checking that $func is in a list of "allowed functions" or by prefixing something like user_ to the function names and the $func variable itself (This way the user can run only functions beginning with user_.

这篇关于我可以使用什么代替eval()?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！