从 mysql 查询返回的 PHP eval() 代码*不工作*
如果我采取并做这样的事情:
$p = 10;
$n = 3;
$evalstr = "\$f = 0.99 + ((.025 * \$p) * \$n);";
eval($evalstr);
echo $f;
我显示 1.74,没有错误,一切都很好,但是当我有一个 mysql 表保存这些方程时(就本例而言,它是完全相同的方程)...就像所以:
$p = 10;
$n = 3;
while ($result = mysql_fetch_assoc($results)) {
$math = $result['math'];
//at this point $math = "\$f = 0.99 + ((.025 * \$p) * \$n);"
eval($math);
}
我得到解析错误:语法错误,意外的T_VARIABLE,在ajax \ getprices.php(30)中期待T_STRING:第1行的eval()代码
不确定为什么,如果我打印echo $math 与我在第一个示例中的 $evalstr 相同。 $p 和 $n 实际上是从 GET 变量设置的,但即使我像示例中那样手动设置它们,它也不起作用。
if i take and do something like this:
$p = 10;
$n = 3;
$evalstr = "\$f = 0.99 + ((.025 * \$p) * \$n);";
eval($evalstr);
echo $f;
I get 1.74 displayed, no errors everything is fine, but when I have a mysql table that holds these equations (for the purpose of this example, it is the exact same equation)...like so:
$p = 10;
$n = 3;
while ($result = mysql_fetch_assoc($results)) {
$math = $result['math'];
//at this point $math = "\$f = 0.99 + ((.025 * \$p) * \$n);"
eval($math);
}
I get Parse error: syntax error, unexpected T_VARIABLE, expecting T_STRING in ajax\getprices.php(30) : eval()'d code on line 1
Unsure as to why, if i print of echo $math is it identical to what I have as $evalstr in the first example. $p and $n are actually set from GET variables but even if I set them manually as in the example it does not work.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在我看来,您在数据库中存储了包含转义 $ 的表达式。如果可行的话,您可以尝试一下,如果您首先删除斜杠:
我也建议非常小心地将此类代码存储在数据库中并使用eval来执行它。这里可能存在安全漏洞。但我想,你知道这一点。
It seems to me, that you stored the expression including the escaped $ in the database. You might try, if it works, if you first remove the slashes:
I too would recommend to be very careful with storing such code in a database and using eval to execute it. There is potential for security holes here. But i assume, you know this.
我明白了,似乎在将 eval 代码定义为变量时,我必须转义 $,但是当将其作为变量从 mysql 中提取时,如果我转义 $,它就可以工作
I got it, seems when defining the eval code as a variable I have to escape the $ but when pulling it from mysql as a variable it works if i unescape the $