什么情况下需要使用 eval() 因为没有其他选择?

发布于 2024-09-17 05:31:40 字数 263 浏览 9 评论 0原文

我知道出于速度和安全原因,在 JavaScript 中应该避免使用 eval。但就 PHP 而言,很少有人提到安全性。更常见的是,由于随意使用 eval,您的程序运行速度比应有的速度慢。

在什么特定情况下您应该使用 eval 因为没有其他方法可以解决它?

为了清楚起见:

我们不是在谈论用户提供的数据。因此,问题集中在纯粹且完全受控的服务器端有效使用eval

I know eval should be avoided in JavaScript for speed and security reasons. But in the case of PHP, rarely is security ever mentioned. More often, it's your program running slower than it should because of a haphazard use of eval.

In what specific situations should you use eval because there is no other way around it?

For clarity:

We're not talking about user-supplied data. So the question is focused on pure and fully-controlled server-side valid use of eval.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

花开半夏魅人心 2024-09-24 05:31:40

eval - 在 PHP 中使用 eval 评估代码的安全问题与在 Javascript 中相同:如果您评估某些代码,您必须确定它来自哪里以及它包含什么。

安全隐患可能更大,因为 PHP 可以访问您的数据库(除其他外)——这意味着它可以用来窃取/破坏您的应用程序所依赖的几乎所有信息!

在 Javascript 中,他们说“eval 是邪恶的”; PHP 中的情况可能与 Javascript 中的情况一样。

现在,关于无法避免使用 eval 的特定情况...好吧,在我日常工作的 4 年 PHP 开发中,我不记得曾经使用过 eval 在我自己的代码中 ^^

不过,您需要 eval 的情况示例是,例如,当您将一些代码存储在数据库中,而不是将其缓存在文件中时 < em>(可以包含在内)——例如,某些 CMS 允许在管理部分中键入部分 PHP 代码。

The security problems of eval-uating code with eval in PHP are the same as in Javascript : if you evaluate some code, you've got to be sure where it comes from, and what it contains.

The security implications might even be greater, as PHP has access to your database (amongst other things) -- which means it can be used to steal/corrupt almost avery informations your application relies on !

In Javascript, they say that "eval is evil" ; it's probably as true in PHP that it's true in Javascript.

Now, about specific situations in which you cannot avoid using eval... Well, in something like 4 years of developping in PHP as my every-day job, I don't remember having ever used eval in my own code ^^

Still, and example of situation where you need eval would be when you are storing some code in database, for instance, and not caching it in files (which could be included) -- that happens with some CMS that allow portions of PHP code to be typed in the administration section, for instance.

洋洋洒洒 2024-09-24 05:31:40

Eval 和 create_function 可能允许任意代码注入。 PHP 中有很多东西可以用来危害应用程序的安全性。

我们告诉孩子们不要玩刀具和火柴 - 但如果正确使用,这些都是有用的(如果不是必需的)工具。 PHP 的很多功能也是如此。 只要您准确理解自己在做什么,使用该功能本质上并没有什么问题。

但在如此抽象的层面上讨论编程语言并不是 StackOverflow 的目的。

C.

Eval and create_function may allow arbitary code injection. There are a lot of things in PHP that can be used to compromise the security of your application.

We tell kids not to play with knives and matches - but these are useful (if not essential) tools when used correctly. So it is with a lot of PHP's functionality. There's nothing intrinsically wrong with using the functionality as long as you understand exactly what you are doing.

But a discussion of programming languages at such an abstract level is not what StackOverflow is about.

C.

池木 2024-09-24 05:31:40

我知道应该避免 eval
JavaScript 的速度和安全性
原因。但对于 php 来说,
很少有人提到安全性。
更多时候是你的程序在运行
比应有的速度慢,因为
随意使用 eval。

eval邪恶 在 php 中也是如此。

在什么具体情况下你应该
使用 eval() 因为没有其他方法
绕过它?

首先,我们尝试尽可能避免它,但如果您确实必须使用它来执行某些代码,那么您将不得不使用它,但正如所说的那样,它是邪恶的,您使用自担风险

底线:

无论如何,绝不允许使用eval运行用户输入。(除非您知道自己在做什么/承担风险)

i know eval should be avoided in
javascript for speed and security
reasons. but in the case of php,
rarely is security ever mentioned.
more often it's your program running
slower than it should because of
haphazard use of eval.

eval is evil in php too.

in what specific situations should you
use eval() because there is no other
way around it?

First of all, we try to avoid it as much as possible, but if you do have to use that for executing some code, then you will have to go with that but as said it is evil, you use at your own risk.

Bottom Line:

Never allow at any rate, the user input to be run with eval. (Unless You Know What You Are Doing/Risking)

奶气 2024-09-24 05:31:40

如果你想在 PHP 5.3 之前使用匿名函数,你需要使用 create_function< /a>,它包装了 eval() 调用。

If you want to use anonymous functions prior to PHP 5.3, you need to use create_function, which wraps an eval() call.

北城孤痞 2024-09-24 05:31:40

我完全同意之前的答案,因为 eval 是邪恶的,而且我从不在我的代码中使用它。

但在一种情况下,我无法避免评估。我在 php 方面没有太多经验,所以如果有人建议我如何在没有 eval 的情况下重写代码,我会很高兴。在这种情况下,我有一个类名存储在变量中,我必须调用该类的静态方法,类名来自受信任的源,所以我必须编写如下内容:(

eval("\$result = $className::methodName()");

因为你不能只写 $className::methodName() );

I completely agree with previous answers in the point that eval is evil, and I never use it in my code.

But in one situation I haven't managed to avoid eval. I have not much experience in php, so I will be glad if someone advises me how can I rewrite the code without eval. In that situation I had a class name stored in a variable, and I had to call a static method on that class, classname came from a trusted source, so i had to write something like this:

eval("\$result = $className::methodName()");

(because you cannot just write $className::methodName() );

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文