如何在没有 eval 的情况下输出这些动态数据?
我一直在用 MVC 风格编写 CMS,并使用模板类通过 file_get_contents 提取所需的各种文件
最后我
eval('?>'.($template).'<?');
知道 eval 是邪恶的,我怎样才能刷新这些数据,以便 PHP 实际呈现代码?
目前,一旦所有内容都已加载,Template 类就会执行此操作。 Template 类是否可以将此代码作为变量返回到我的index.php,然后运行某些内容以使其执行?
我遇到的每个编写 MVC 风格站点的示例都使用 eval 来解决问题。
另一个相关问题 - 我知道 eval 可用于运行恶意用户输入的代码,但其他函数不会遭受同样的命运吗?如果我将任何用户内容转换为 html 实体,这不会克服这个问题吗?
我的方法很可能是有缺陷的,但它遵循我一直在阅读的示例,这就是为什么我渴望看到另一种避免 eval 的方法。
我确实找到了这个片段,它实现了同样的事情:
function interpolate( $string ){
foreach ($GLOBALS as $name => $value){
$string = str_replace( '$'.$name, $value, $string );
}
$string = preg_replace( '/[$]\\w+/', '', $string );
return $string;
}
这通过用正确的内容替换变量来有效地呈现所有代码。
I've been writing a CMS in MVC style and have used a Template class to pull in the various files required via file_get_contents
At the end I do
eval('?>'.($template).'<?');
Knowing that eval is evil, how can I alternatively flush this data so the PHP actually renders the code?
At the moment the Template class does this once everything's been loaded. Is it possible for the Template class to return this code to my index.php as a variable and then run something to make it execute?
Every example of coding an MVC style site I've come across uses eval to solve the problem.
An additional related question - I understand eval can be used to run malicious user-inputted code, but wouldn't some other function suffer the same fate? If I turn any user content into html entities, wouldn't this overcome this?
Quite possibly my method is flawed, but it follows the examples I've been reading, which is why I'm keen to see another method that avoids eval.
I did just find this snippet which achieves the same thing:
function interpolate( $string ){
foreach ($GLOBALS as $name => $value){
$string = str_replace( '
This effectively renders all the code by replacing the variables with their correct content.
.$name, $value, $string );
}
$string = preg_replace( '/[$]\\w+/', '', $string );
return $string;
}
This effectively renders all the code by replacing the variables with their correct content.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在我的模板中,我使用输出缓冲来捕获包含的脚本。包含的代码就像任何其他包含的文件一样运行。伪:启动缓冲区、包含文件、捕获缓冲区、擦除缓冲区。这是一个简短的示例:
运行后,
$template_output
在运行其中的任何代码后将由包含的文件输出任何内容。这允许我在处理“视图”时使用循环和变量等。但请注意,这是在我的个人网站上使用的,我是唯一对模板文件进行更改的人。我不允许其他人编辑模板文件,因为那将是愚蠢可笑的。
in my templates I use output buffering to capture a script that is included. the included code is run just like any other included file. pseudo: start buffer, include file, capture buffer, erase buffer. here is a short example:
After that runs,
$template_output
would have anything output by the included file after it has run any code inside. This allows me to use loops and vars and such when processing a 'view'.Please note though, this is used on my personal site where I am the only one making changes to the template files. I do not allow anyone else to edit the template files as that would be ridiculously dumb.