This article brings you a detailed introduction (code example) about assert and eval in php. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you. .
assert Determines whether an expression is true. Return true or false;
<?php $s = 123; assert("is_int($s)"); ?>
From this example you can see that the string parameter will be executed, which is similar to eval().
But eval($code_str) only executes $code_str that conforms to the PHP coding specification.
eval(): This function is useful for storing code in a database text field for later calculations. (It is also recommended to use less in production)
Note: 1. eval() must be a string;
2. The quotes in eval() must be double quotes, because single quotes cannot parse characters The variable $str in the string;
eval definition and usage:
(1)eval() function calculates the string according to the PHP code (calculation = execution).
(2)The string must be legal PHP code and must end with a semicolon.
(3) If the return statement is not called in the code string, NULL is returned. If there is a parsing error in the code, the eval() function returns false
assert's usage is a little more detailed.
assert_option() can be used to impose some constraints and control on assert();
Default value
ASSERT_ACTIVE=1 //Assert function switch
ASSERT_WARNING =1 // When the expression is false, whether to output a warning error message, issue a PHP warning for each failed assertion
ASSERT_BAIL= 0 //Whether to terminate the execution; terminate execution on failed assertions
ASSERT_QUIET_EVAL= 0 // Whether to turn off error prompts when executing expressions; disable error_reporting during assertion expression evaluation
ASSERT_CALLBACK= (NULL) // Whether to start the callback function user function to call on failed assertions
The official documentation of php is It is recommended to use assert for debugging. We can find that there is also a switch ASSERT_ACTIVE that can be used to control whether to enable debugging.
Now the question arises, if the programmer leaves a lot of assert() in the code during development, and then turns off execution when the program is released, setting assert_options(ASSERT_ACTIVE,0); is this feasible? Are there any security issues?
Since the main function of assert is debugging, don’t keep it when the program is released. It is unwise to use assert to judge expressions in the program. The reasons are mentioned above. One is that assert may be disabled in the production environment, so assert cannot be fully trusted; the other is that assert() can continue to be executed; and If ASSERT_ACTIVE=1 is set in the production environment, then this expression string can be executed, which itself has security risks. Code injection caused by assert
For example
<?php function fo(){ $fp = fopen("c:/test.php",'w'); fwrite($fp,"123"); fclose($fp); return true; } assert("fo()"); ?>
Note: assert executes the entire string parameter as PHP code, and eval executes legal PHP code.
The above is the detailed content of Detailed introduction to assert and eval in php (code example). For more information, please follow other related articles on the PHP Chinese website!