dongpankao6133 2014-07-02 09:02
浏览 84
已采纳

PHP中的Eval和安全措施,创建PHP演示编辑器

I know that eval is the function in PHP to execute PHP code from an input. Now I want to make a W3Schools like editor. What can I do to protect eval code that I get from POST variable.

$code = eval($_POST["phpusercode"]);
echo $code;

What I want to do is when a user will make a function like this

I want to give user the ability to write his own PHP code on my site without making my website vulnerable to some sort of hacking.

  • 写回答

1条回答 默认 最新

  • dongpinyao2203 2014-07-02 09:10
    关注

    eval evaluates code, so, as @sectus says in comments, execute the code

    For example:

    eval ("echo 'Hello user'"); //This will execute echo 'Hello user'

    So, in your case i think you don't want to execute your user code, so please carify your question and update it.

    IMPORTANT:

    • Use of eval is highly discouraged
    • NEVER EVER use eval with params by POST/GET without sanitize them

    Useful links:

    When eval is evil

    Avoid SQL injection

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何修改pca中的feature函数
  • ¥20 java-OJ-健康体检
  • ¥15 rs485的上拉下拉,不会对a-b<-200mv有影响吗,就是接受时,对判断逻辑0有影响吗
  • ¥15 使用phpstudy在云服务器上搭建个人网站
  • ¥15 应该如何判断含间隙的曲柄摇杆机构,轴与轴承是否发生了碰撞?
  • ¥15 vue3+express部署到nginx
  • ¥20 搭建pt1000三线制高精度测温电路
  • ¥15 使用Jdk8自带的算法,和Jdk11自带的加密结果会一样吗,不一样的话有什么解决方案,Jdk不能升级的情况
  • ¥15 画两个图 python或R
  • ¥15 在线请求openmv与pixhawk 实现实时目标跟踪的具体通讯方法