eval() and create_function() in php

* eval() and create_function()

* 1. eval()

* 1. The eval() function calculates the string according to the PHP code

* 2. The string must be legal PHP code and must end with a semicolon

* 3. If the return statement is not called in the code string, NULL

* 4 .If there is a parsing error in the code, the eval() function returns false

* 5. This function is useful for storing code in a database text field for later calculation

* 2 , create_function('parameter','function body code'): Create an anonymous function

//The functions of the following two statements are exactly the same

eval('echo 4+5;');  //输出9
echo eval('return 4+5;'); //返回9并显示在屏幕上

//Although the functions of the above two statements are the same, the return value Not the same

//So, if you want to reference the eval() return value, you must use return

var_dump(eval('echo 4+5;')); //返回 NULL
var_dump(eval('return 4+5;')); //返回 9

//eval() injection attack demonstration

isset($_GET['p']) ? eval($_GET['p']) : null;

//Now add ?p=phpinfo(); or other legal PHP statements after the url, it will be executed directly and the injection is successful

//You can add your advertisement, your jump address, etc. To achieve the purpose of malicious attack

//Use create_functoin() to create an anonymous function

//Because this function has been deprecated, some editors will give warnings, and it is useless to say more

//It is enough to know that this function has been in this world

$func1 = create_function('$a,$b', 'return ($a+$b);');
echo $func1(10,20);

The above is the detailed content of eval() and create_function() in php. For more information, please follow other related articles on the PHP Chinese website!