我如何修复我的eval()代码行:1个问题

我一直</ p>

  file:C:\ xampp \  htdocs \ doit.php(45):eval()'代码行:1 
</ code> </ pre>

我搜索过网站但找不到适用于我的修复程序 这是我使用的代码,它提出了问题</ p>

  $ ec =“\ $ sucrate =”。  str_replace(数组(“LEVEL”,“EXP”,“WILL”,“IQ”),数组($ player ['level'],$ player ['exp'],$ player ['will'],$ player [  'IQ']),$ r ['crimePERCFORM'])。  “;”; 
eval($ ec);
</ code> </ pre>
</ div>

展开原文

原文

I keep getting

file: C:\xampp\htdocs\doit.php(45) : eval()'d code line: 1

I have searched the site and can not find a fix that works for me this is the code that I am using that is giving the issue

     $ec = "\$sucrate=" . str_replace(array("LEVEL", "EXP", "WILL", "IQ"), array($player['level'], $player['exp'], $player['will'], $player['IQ']), $r['crimePERCFORM']) . ";";
 eval($ec);

dttwois6098
dttwois6098 是的,它是这样的((WILL*0.8)/2.5)+(LEVEL/4)
2 年多之前 回复
duannian4784
duannian4784 嗯,也许我的解决方案不能按预期工作。$r['crimePERCFORM']包含什么?它是否可能包含进行某种计算的公式?
2 年多之前 回复
du7979
du7979 我修复了第二个错误谢谢
2 年多之前 回复
douxing8939
douxing8939 现在由于某种原因我得到Parse错误:语法错误,C:\xampp\htdocs\crime.php(45)中的意外文件结束:第1行的eval()代码
2 年多之前 回复
douxuanling6523
douxuanling6523 这种eval的使用是不必要的,直接在php中编写,你应该没问题。比如$sucrate=str_replace(array(“LEVEL”,“EXP”,“WILL”,“IQ”),数组($player['level'],$player['exp'],$player['will'],$player['IQ']),$r['crimePERCFORM']);
2 年多之前 回复

2个回答



您正在构建的字符串需要围绕 str_replace </ code>'d字符串引用(可能还有另一个string_replace对) 防止引用问题。)</ p>

示例:</ p>

  $ ec =“\ $ sucrate ='”。  str_replace(数组(“LEVEL”,“EXP”,“WILL”,“IQ”),数组($ player ['level'],$ player ['exp'],$ player ['will'],$ player [  'IQ']),$ r ['crimePERCFORM'])。  “';”; 
</ code> </ pre>

然而,虽然这应该可以解决您的问题,但使用 eval </ code>几乎没有好的理由。 它肯定会让你的代码容易受到某种远程执行攻击的影响,无论你采取什么样的“保护措施”,允许任何人在你的服务器上运行任何代码,好像它是你写的那样。</ p>
\ n

这将完全相同,只是使用替换值设置 $ sucrate </ code>变量。</ p>

  $ sucrate = str_replace  (数组(“LEVEL”,“EXP”,“WILL”,“IQ”),数组($ player ['level'],$ player ['exp'],$ player ['will'],$ player ['  IQ']),$ r ['crimePERCFORM']); 
</ code> </ pre>
</ div>

展开原文

原文

The string you are building would need quotes around the str_replace'd string (and possibly another string_replace pair also to prevent quote issues).

Example:

$ec = "\$sucrate='" . str_replace(array("LEVEL", "EXP", "WILL", "IQ"), array($player['level'], $player['exp'], $player['will'], $player['IQ']), $r['crimePERCFORM']) . "';";

However, while that should fix your issue, there is almost never a good case for using eval. It will certainly leave your code vulnerable to some sort of remote execution hack no matter what "protections" you put in place that would allow anyone to run any code on your server as if it was written by you.

This would do exactly that same thing, which is just setting the $sucrate variable with your replaced values.

$sucrate = str_replace(array("LEVEL", "EXP", "WILL", "IQ"), array($player['level'], $player['exp'], $player['will'], $player['IQ']), $r['crimePERCFORM']);

dongli4711
dongli4711 这确实修复了弹出的错误,所以现在没有错误显示但是它可以选择玩家是否会通过或失败任务,现在他们无论如何都会失败但是谢谢你我猜这个问题是一起的另一个问题 所以我会看看
2 年多之前 回复
doufei7464
doufei7464 只需删除eval。 我将用一个例子来更新答案。
2 年多之前 回复
douzhuozhu9544
douzhuozhu9544 你会建议我用什么代替这个?
2 年多之前 回复

I got carried away and have thought about how to improve it this might not actually be an answer to your question but more of a food-for-thought. I see two solutions, and both are kind of invasive.

Of course both solutions only work in all the cases if your formula only use "variables" like in your example with ((WILL*0.8)/2.5)+(LEVEL/4). If you have more complex formulas you'd have do adapt my solutions.

Wrapping eval and don't inject all the inputs in the eval'd code

Assuming the formulas are under your control and not user-supplied you could improve your eval by not injecting all the inputs in your eval'd code but only the formula. This way you don't have to escape the inputs, you only have to make sure the formula is syntactically correct.

function calculateFormula($_vars, $_values, $_formula) {
    // This transforms your formula into PHP code which looks
    // like this: (($WILL*0.8)/2.5)+($LEVEL/4)
    $_cleanFormula = str_replace(
        $_vars,
        array_map(function($v) { return '$' . $v; }, $_vars),
        $_formula
    );

    // create the $WILL, $LEVEL, $IQ and $EXP variables in the local scope
    extract(array_combine($_vars, $_values));

    // execute the PHP-formula
    return eval('return ' . $_cleanFormula . ';');
}

// Use it like this, instead of eval
$sucrate = calculateFormula(
    array("LEVEL", "EXP", "WILL", "IQ"), 
    array($player['level'], $player['exp'], $player['will'], $player['IQ']),
    $r['crimePERCFORM']);

This still uses eval, so security-wise this would be the worst solution. But this would be the closest to what you have now.

Using Symfony's Expression Language

The more secure option would be to use something like the symfony's expression language component. Now you don't need the whole symfony framework in your application, the expression language component can be used on it's own. This could be a big change, this depends on how your existing codebase looks. If you have not used composer or namespaces in your project, this change might be too big.

require_once __DIR__ . '/vendor/autoload.php';

use Symfony\Component\ExpressionLanguage\ExpressionLanguage;

$expressionLanguage = new ExpressionLanguage();

$sucrate = $expressionLanguage->evaluate(
    $r['crimePERCFORM'],
    array(
        "LEVEL" => $player['level'],
        "EXP" => $player['exp'],
        "WILL" => $player['will'],
        "IQ" => $player['IQ'],
    )
);

As I've said this is maybe a huge change and you might have to get acquainted with composer if you don't know it already.

dsizmmwnm56437180
dsizmmwnm56437180 哇谢谢我试图使用symfony的表达式
2 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐