什么时候(如果曾经)不是邪恶的? [英] When (if ever) is eval NOT evil?
问题描述
我听说过很多 eval
函数是通常不是答案.根据PHP 5.3的 LSB 和<一个href ="http://php.net/manual/en/functions.anonymous.php" rel ="nofollow noreferrer">关闭我们已经没有理由依赖eval
或
I've heard many places that PHP's eval
function is often not the answer. In light of PHP 5.3's LSB and closures we're running out of reasons to depend on eval
or create_function
.
在PHP 5.3中是否有任何个案例,其中eval
是最佳(唯一?)答案?
Are there any conceivable cases where eval
is the best (only?) answer in PHP 5.3?
这个问题不是不是这个问题,因为关于eval
是否通常是邪恶的,显然不是.
This question is not about whether eval
is evil in general, as it obviously is not.
答案摘要:
- 计算数值表达式(或PHP的其他安全"子集)
- 单元测试
- 交互式PHP外壳"
- 可信任的
var_export
的反序列化 - 某些模板语言
- 为管理员和/或黑客创建后门
- 与<的兼容性PHP 5.3
- 检查语法(可能不安全)
- Evaluating numerical expressions (or other "safe" subsets of PHP)
- Unit testing
- Interactive PHP "shell"
- Deserialization of trusted
var_export
- Some template languages
- Creating backdoors for administers and/or hackers
- Compatibility with < PHP 5.3
- Checking syntax (possibly not safe)
推荐答案
Eric Lippert sums eval up over three blog posts. It's a very interesting read.
据我所知,以下是使用eval的一些唯一原因.
As far as I'm aware, the following are some of the only reasons eval is used.
例如,当您基于用户输入构建复杂的数学表达式时,或者将对象状态序列化为字符串以便可以存储或传输它,并在以后进行重构时.
For example, when you are building up complex mathematical expressions based on user input, or when you are serializing object state to a string so that it can be stored or transmitted, and reconstituted later.
这篇关于什么时候(如果曾经)不是邪恶的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!