PHP 给变量赋值时出现 eval 错误
我有一些 PHP 代码(用于我的 CMS(不是 drupal)的模块功能,它允许人们查看页面、评论、论坛帖子、博客帖子等...):
if(isset($_GET["m"]))
{
//Does the module exist and activated, and has it a function called view?
if(isset($module_exists[$_GET["m"]]) && method_exists($_GET["m"], "view"))//Yep
{
//Load view (should be an array)
eval("$module_view = ".$_GET["m"]."::view();");
if(!is_array($module_view))//Not an array :(
{
error::e500module($_GET["m"], $_SERVER["REQUEST_URI"]);
}
}
else//Nope, so display error
{
error::e404($_SERVER['REQUEST_URI']);
}
}
现在,我在解析页面时收到此错误:
Notice: Undefined variable: module_view in C:\wamp\www\SYSTEM\start.php on line 34
Parse error: parse error in C:\wamp\www\SYSTEM\start.php(34) : eval()'d code on line 1
Notice: Undefined variable: module_view in C:\wamp\www\SYSTEM\start.php on line 35
但是当我这样做时:
eval("print_r(".$_GET["m"]."::view());");
而不是:
eval("$module_view = ".$_GET["m"]."::view();");
我没有收到任何错误,而只是打印了数组。 有谁知道我做错了什么? 我不明白。 我知道,请不要告诉我 eval() 不安全。
谢谢。
I have a bit of PHP code (for the module feature of my CMS (not drupal) which allows people to view pages, comments, forum posts, blog posts, etc...):
if(isset($_GET["m"]))
{
//Does the module exist and activated, and has it a function called view?
if(isset($module_exists[$_GET["m"]]) && method_exists($_GET["m"], "view"))//Yep
{
//Load view (should be an array)
eval("$module_view = ".$_GET["m"]."::view();");
if(!is_array($module_view))//Not an array :(
{
error::e500module($_GET["m"], $_SERVER["REQUEST_URI"]);
}
}
else//Nope, so display error
{
error::e404($_SERVER['REQUEST_URI']);
}
}
Now, I get this errors when parsing the page:
Notice: Undefined variable: module_view in C:\wamp\www\SYSTEM\start.php on line 34
Parse error: parse error in C:\wamp\www\SYSTEM\start.php(34) : eval()'d code on line 1
Notice: Undefined variable: module_view in C:\wamp\www\SYSTEM\start.php on line 35
But when I do:
eval("print_r(".$_GET["m"]."::view());");
instead of:
eval("$module_view = ".$_GET["m"]."::view();");
I don't get any error, but simply the array printed. Does anyone know what I do wrong? I don't understand it. Please don't tell me that eval() is not safe, I know.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
你永远不应该做任何评估。 这是执行此操作的正确方法:
但即使在这里,您也应该有一个数组,并在执行包含它的任何代码之前检查 $class 是否是授权模块,因为它是用户输入,并且用户输入不可信:
所以您知道,您的错误是因为您必须在 eval 中转义变量:
否则在将其作为字符串提供给 eval() 之前对其进行评估。
You should never do any eval. Here is the correct way to do this:
But even here, you should have an array and check that $class is an authorized module before executing any code containing it, as it's user input and user input can't be trusted:
Just so you know, your error is because you have to escape your variable in the eval:
Else it's evaluated before it's given as a string to the eval().
您可以使用
call_user_func()而不是 eval()请参阅文档以了解 < a href="http://php.net/manual/en/language.pseudo-types.php" rel="nofollow noreferrer">回调伪类型
You could use
call_user_func()instead of eval()See the docs for the callback pseudo-type