使用什么作为 array_import/var_import 来排序导出的数组?
我有一根绳子。这是用户提交的字符串。 (并且您永远不应该相信用户提交的任何内容。)
如果字符串中存在某些(不是不安全的)字符,则它应该成为多维数组/树。首先我尝试了分割、正则表达式和循环。太难了。我找到了一个非常简单的解决方案,其中包含一些简单的 str_replace,结果是一个看起来像数组定义的字符串。例如:
array('body', array('div', array('x'), array(), array('')), array(array('oele')))
这是一个愚蠢的数组,但它很容易创建。现在该字符串必须变成该数组。我正在使用 eval() 来实现这一点,但我不喜欢它。由于它是用户提交的(并且必须能够包含几乎任何内容),因此该字符串中可能存在任何类型的函数调用。
因此,百万美元的问题是:是否有某种 var_import 或 array_import 可以从字符串创建一个数组并且不执行任何其他操作(就像神秘的,对 exec 的危险调用等)?
是的,我尝试过 php.net,但上述 _import 函数都不存在。
我正在寻找的与 var_import,因为我作为输入的字符串看起来与输出的字符串 var_export 完全相同。
也欢迎任何其他使它比eval更安全的建议!但我并没有放弃当前的方法(它太简单了)。
I have a string. It's a user submitted string. (And you should never ever trust user submitted anything.)
If certain (not unsafe) characters exist in the string, it's supposed to become a multi dimensional array/tree. First I tried splits, regex and loops. Too difficult. I've found a very easy solution with a few simple str_replace's and the result is a string that looks like an array definition. Eg:
array('body', array('div', array('x'), array(), array('')), array(array('oele')))
It's a silly array, but it's very easily created. Now that string has to become that array. I'm using eval() for that and I don't like it. Since it's user submitted (and must be able to contain just about anything), there could be any sort of function calls in that string.
So the million dollar question: is there some kind of var_import, or array_import that creates an array from a string and does nothing else (like mysterious, dangerous calls to exec etc)?
Yes, I have tried php.net and neither of the above _import functions exist.
What I'm looking for is the exact opposite of var_import, becasuse the string I have as input, looks exactly like the string var_export would output.
Any other suggestions to make it safer then eval are also welcome! But I'm not abandoning the current method (it's just too simple).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
作为
输入,我替换了一些字符以使其成为有效的 JSON 字符串,并通过 json_decode 导入它。
工作完美。如果存在一些非法字符,
json_decode将被它们绊倒(并且不会执行任何危险代码)。Using
as input, I replaced some chars to make it a valid JSON string and imported that via
json_decode.Works perfectly. If some illegal chars are present,
json_decodewill trip over them (and not execute any dangerous code).