通过 AJAX 评估 PHP
我有什么和想要做什么
我有一个
输入区域。我有一个 JS 脚本,它读取
输入区域的innerHTML并使用encodeURICompontent对其进行编码,然后将值发送到evaluate.php?code=+value;我有一个
evaluate.php,GET是来自URL的code的值,并使用返回一个评估值>eval($code)到 javascript。最后,它将
xmlHttp.responseText放入div中。
但是执行 eval 时出现此错误:
解析错误:语法错误,意外的“””,在 /Applications/MAMP/htdocs/Apps/editor/includes/exe.php(5) 中期待 T_STRING:第 1 行的 eval() 代码
Evaluate.php< /strong>
if(isset($_GET["code"])){
$e = $_GET["code"];
echo eval($e);
}
我尝试评估的值只是:
echo "Hello World!";
那么这在 $_GET["code"] 中看起来像:
echo \"Hello World!\";
What I have and want to do
I have an
input area.I have a JS script what reads the
input area'sinnerHTMLand encodes it usingencodeURICompontentthen sends the value toevaluate.php?code=+value;I have an
evaluate.phpwhatGET's thecode's value from the URL and returns an evaluated value usingeval($code)to the javascript.And at the end it puts the
xmlHttp.responseTextto adiv.
But I get this error when the eval is executed:
Parse error: syntax error, unexpected '"', expecting T_STRING in /Applications/MAMP/htdocs/Apps/editor/includes/exe.php(5) : eval()'d code on line 1
Evaluate.php
if(isset($_GET["code"])){
$e = $_GET["code"];
echo eval($e);
}
The value what I try to evaluate is just:
echo "Hello World!";
Then this is looks like in $_GET["code"] as:
echo \"Hello World!\";
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
根据 PHP 的文档:
所以我认为运行
echo eval($e)时可能会出现问题。PS 最好不要在 PHP 中使用双引号,除非这些引号中包含变量。例如,使用
"Hello, $name"并使用'Hello, Bob'。According to PHP's documentation:
So I think there may be a problem when you run
echo eval($e).P.S. It's best practice not to use double quotes in PHP unless a variable is contained within those quotes. For example, use
"Hello, $name"and use'Hello, Bob'.显然,您要评估的字符串中有错误。先尝试输出一下,看看有没有半柱之类的东西。
但你永远不应该(!)评估从 URL 获得的代码!永远永远,任何人都可以发送“exec('rm -rf /')”。
Obviously you have an error in a string you are tying to evaluate. Try to output it first and see if it has semi columns and things like that.
But you should never (!) evaluate code you get from URL! Never-never, anyone can send "exec('rm -rf /')".
回答这个问题我感觉很糟糕。在您的 PHP 设置中,可能会启用
magic_quotes_gpc,这会通过转义来“破坏”您的传入数据。为了让它正常工作,您可能想通过禁用魔术引号来给您的事业增加一点不安全感。
如果这不能解决问题,请按照 Silver Light 的建议调试您的输入。
I feel terrible answering this. In your PHP settings,
magic_quotes_gpcmight be enabled which "corrupts" your incoming data by escaping it.In order to get it working, you might want to add a little more insecurity to your undertaking by disabling magic quotes.
If that doesn't fix it, debug your input by following Silver Light's suggestions.