如何将 PHP 字符串作为变量求值?

发布于 2024-09-14 14:27:59 字数 708 浏览 9 评论 0原文

我有一个名为 $data["main_deal"] 的变量,其值为 $xml->deals->deal[0] (作为字符串)。 $xml 是一个 simpleXML 对象,main_deal 的值是访问我想要的数据所需的选择器。

当我尝试 echo "

Main Deal: ".$data["main_deal"]; 时,它输出:Main Deal: $xml->deals->deal[0]

所以我回到了给 $data["main_deal"] 赋值的地方,并添加了 eval()。输出现在是空白的。当我调用 $data["main_deal"] 时,我希望它输出 $xml->deals->deal[0] 的值,而不是 "$ xml->交易->交易[0]”。我该怎么做?

编辑: 这是我用来加载 $data 的代码:

foreach($vars as $var) {
$data[$var] = $devOptions[$var];
}

$devOptions[$var] 包含一个字符串,例如“$xml->deals->deal[0]”。

I have a variable named $data["main_deal"] that has the value $xml->deals->deal[0] (as a string). $xml is a simpleXML object, and the value of main_deal is the selector needed to access the data I want.

When I tried echo "<p><b>Main Deal:</b> ".$data["main_deal"]; it output: Main Deal: $xml->deals->deal[0]

So I went back to where I gave $data["main_deal"] its value, and added eval(). The output is now blank. When I call $data["main_deal"], I want it to output the value of $xml->deals->deal[0], not "$xml->deals->deal[0]". How do I do this?

EDIT:
Here is the code I am using to load $data:

foreach($vars as $var) {
$data[$var] = $devOptions[$var];
}

$devOptions[$var] holds a string such as "$xml->deals->deal[0]".

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

吝吻 2024-09-21 14:27:59
eval('return '.$data['main_deal'].';');
eval('return '.$data['main_deal'].';');
陌上青苔 2024-09-21 14:27:59

请注意,使用 eval 非常危险,甚至会导致疯狂。如果有人以某种方式将 $data['main_deal'] 设置为 exec("rm -rf .")mysql_query('drop table users') 会怎样?代码>.为了确保安全,您必须绝对确定该字符串不会受到任何方式的污染。这并非易事,因为大多数过滤器都是为了防止 XSS 注入,而不是此类攻击。

我并不是想成为一个混蛋,我知道你只是想完成工作,但我认为这还不够紧张。


我注意到您在评论中提出了这样的问题:

这有意义吗,或者有更好的方法吗?

很有可能有更好的方法来做到这一点,但是如果不了解更多关于 XML 和用户需求的信息,就很难说。您说过示例选择可能是 $xml->deals->deal[0]。用户是否只需要能够选择该交易的索引?例如,您可以让他们从下拉列表中选择要选择的交易吗?然后你可以只存储他们想要的整数,并且访问该数据将更加安全和简单,启动。

如果他们需要更多的控制,也许你可以给他们一些下拉菜单来帮助他们构建所需元素的“路径”。例如:

[ Element 1 (v)]  [ Element 2 (v)] [ Field (v)]
 | Deals       |   | Deal        |  | 0       |
 | Steals      |   | Steal       |  | 1       |
 | Wheels      |   | Wheel       |  |_________|
 |_____________|   |_____________|

然后在您的代码中

 $array_of_valid_element1 = array ('Deals', 'Steals', 'Wheels');

 if(
    in_array($_POST['element1'], $array_of_valid_element1)
    &&
    in_array($_POST['element2'], $array_of_valid_element2)
    &&
    in_array($_POST['element3'], $array_of_valid_element3)
 )
 {
     echo $xml->$_POST['element1']->$_POST['element2'][$_POST['element3'];
 }

您可以看到额外的验证来自哪里!通过检查每个元素,您可以确保用户只做他们明确允许做的事情。

我希望这能给您一些想法或帮助您重新考虑是否采取了最佳方法。如果您想就此获得更多意见,请随时提出另一个问题。这并不简单,但这就是它的乐趣!

Please be aware that using eval is dangerous to the point of insanity. What if someone somehow sets $data['main_deal'] to exec("rm -rf .") or mysql_query('drop table users'). You must be absolutely certain that this string cannot be tainted in any way for this to be safe. This is non-trivial, as most filters are geared toward preventing XSS injection, and not this type of attack.

I don't mean to be a jerk, I realize you're just trying to get a job done, but I don't think this can be stressed enough.


I noticed in the comments you asked the question:

Does this make sense, or is there a better way to do it?

There's a good chance there is a better way to do it, but without knowing more about your XML and what your users need, it's difficult to say. You said an example selection might be $xml->deals->deal[0]. Do users just need to be able select the index of that deal? E.g., could you just let them choose from a dropdown which deal to select? Then you could just store the integer they want, and accessing that data would be much safer and simpler, to boot.

If they need more control than that, maybe you could give them a few dropdowns to help them build the "path" to the needed element. For example:

[ Element 1 (v)]  [ Element 2 (v)] [ Field (v)]
 | Deals       |   | Deal        |  | 0       |
 | Steals      |   | Steal       |  | 1       |
 | Wheels      |   | Wheel       |  |_________|
 |_____________|   |_____________|

Then in your code

 $array_of_valid_element1 = array ('Deals', 'Steals', 'Wheels');

 if(
    in_array($_POST['element1'], $array_of_valid_element1)
    &&
    in_array($_POST['element2'], $array_of_valid_element2)
    &&
    in_array($_POST['element3'], $array_of_valid_element3)
 )
 {
     echo $xml->$_POST['element1']->$_POST['element2'][$_POST['element3'];
 }

You can see where the extra validation comes in! By checking against each element, you make sure the user is only doing things they're explicitly allowed to do.

I hope this gives you some ideas or helps you reconsider whether you're taking the best approach. Feel free to ask another question if you'd like more input on this. It's not simple, but that's what makes it fun!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文