这行代码有什么意义呢?
我在administrator/components/com_virtuemart/classes/ps_product.php的第2136行的Joomla Virtuemart插件中找到了这行代码
eval ("\$text_including_tax = \"$text_including_tax\";");
I found this line of code in the Virtuemart plugin for Joomla on line 2136 in administrator/components/com_virtuemart/classes/ps_product.php
eval ("\$text_including_tax = \"$text_including_tax\";");
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
废弃我之前的答案。
这个 eval() 出现在这里的原因在 php eval 文档 中显示,
这就是发生的事情
:此
$text_include_tax
的末尾等于:单引号可防止将
$tax
包含在字符串的原始定义中。 通过使用eval()
,它会强制它重新计算字符串并将$tax
的值包含在字符串中。我不喜欢这种特殊方法,但它是正确的。 另一种方法是使用 sprintf()
Scrap my previous answer.
The reason this eval() is here is shown in the php eval docs
This is what's happening:
At the end of this
$text_including_tax
is equal to:The single quotes prevents
$tax
being included in the original definition of the string. By usingeval()
it forces it to re-evaluate the string and include the value for$tax
in the string.I'm not a fan of this particular method, but it is correct. An alternative could be to use
sprintf()
这段代码似乎是强制
$text_include_tax
成为字符串的糟糕方法。它不好的原因是因为 if
$text_include_tax
可以包含用户输入的数据,他们就有可能执行任意代码。例如,如果
$text_include_tax
设置为等于:eval 将变为:
向恶意用户提供 passwd 文件的转储。
更正确的方法是将变量转换为 string:
甚至只是:
如果数据
$text_include_tax
只是内部变量或包含已验证的内容,则不存在安全风险。 但这仍然是一种将变量转换为字符串的糟糕方法,因为有更明显、更安全的方法可以做到这一点。This code seems to be a bad way of forcing
$text_including_tax
to be a string.The reason it is bad is because if
$text_including_tax
can contain data entered by a user it is possible for them to execute arbitrary code.For example if
$text_include_tax
was set to equal:The eval would become:
Giving the malicious user a dump of the passwd file.
A more correct method for doing this would be to cast the variable to string:
or even just:
If the data
$text_include_tax
is only an internal variable or contains already validated content there isn't a security risk. But it's still a bad way to convert a variable to a string because there are more obvious and safer ways to do it.我猜测这是强制 $text_include_tax 成为字符串而不是数字的一种时髦方式。
I'm guessing that it's a funky way of forcing $text_including_tax to be a string and not a number.
也许这是尝试将变量转换为字符串? 只是一个猜测。
Perhaps it's an attempt to cast the variable as a string? Just a guess.
您将需要评估才能将税率输入到输出中。 刚刚将其移至新服务器,由于某种原因,该行导致服务器错误。 作为快速修复,我将其更改为:
You will need the eval to get the tax rate into the output. Just moved this to a new server and for some reason this line caused a server error. As a quick fix, I changed it to:
它将字符串评估为 PHP 代码。
但它似乎让一个变量等于它自己? 诡异的。
It is evaluating the string as PHP code.
But it seems to be making a variable equal itself? Weird.
正如其他人指出的那样,这是由不知道自己在做什么的人编写的代码。
我还快速浏览了代码,发现在放置 HTML/URI 等时完全没有文本转义。 一起。 如果您愿意正确审核的话,除了评估问题之外,这里可能还可以找到许多注入漏洞。
我不希望这段代码在我的服务器上运行。
As others have pointed out, it's code written by someone who doesn't know what on earth they're doing.
I also had a quick browse of the code to find a total lack of text escaping when putting HTML/URIs/etc. together. There are probably many injection holes to be found here in addition to the eval issues, if you can be bothered to audit it properly.
I would not want this code running on my server.
我之前已经浏览过该代码库。 这是我见过的最糟糕的 PHP 之一。
我想你会做这种事情来掩盖你在其他地方犯的错误。
I've looked through that codebase before. It's some of the worst PHP I have seen.
I imagine you'd do that kind of thing to cover up mistakes you made somewhere else.
不,它是这样做的:
说
$text_include_tax
= "flat"。 此代码计算以下行:$flat = "flat";
这不一定很好,但我确实使用过这样的技术一次将所有 MySQL 变量吸收到一个数组中,如下所示:
No, it's doing this:
Say
$text_including_tax
= "flat". This code evaluates the line:$flat = "flat";
It isn't necessarily good, but I did use a technique like this once to suck all the MySQL variables in an array like this: