如何eval()一段字符串
[英]how to eval() a segment of a string
问题描述
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. 
我有一个包含HTML和PHP的字符串,当我从数据库中提取该字符串时,它会回显到屏幕上,但不会显示PHP代码。 The string looks like this: 该字符串如下所示:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output 产量
Hello
Source Code 源代码
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. 当我查看源代码时,可以看到那里的php行。 So what I need to do is eval() just the php segment that is in the string. 所以我需要做的是eval()只是字符串中的php段。
One thing to consider is that the PHP could be located anywhere in the string at any given time. 要考虑的一件事是,PHP可以在任何给定时间位于字符串中的任何位置。
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *需要澄清的是,我的PHP配置是正确的,这是某些PHP从数据库中转储而不呈现的情况,因为我正在回显带有PHP代码的变量,所以它无法运行。 * *
Thanks again for any help I may receive. 再次感谢您提供的任何帮助。
3 个解决方案
解决方案1
4 已采纳 2009-06-21 22:54:00
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. 这是可行的,但就像其他人已经提出的那样,这是一个可怕的想法。 Your application architecture should never revolve around storing code in the database. 您的应用程序体系结构永远都不应围绕将代码存储在数据库中。
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. 最简单地,如果您的页面始终需要显示字符串,则将这些字符串存储在数据库中,而不是编写代码来生成它们。 Real world data is more complicated than this, but must always be properly modelled in the database. 现实世界中的数据要比这复杂得多,但必须始终在数据库中对其进行正确建模。
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly. 编辑:将需要适应与preg_replace_callback正确删除源/插值。
解决方案2
0 2009-06-21 22:39:42
You shouldn't eval the php code, just run it. 您不应该评估php代码,只需运行它即可。 It's need to be php interpreter installed, and apache+php properly configured. 需要安装php解释器,并正确配置apache + php。 Then this .php file should output Hello World. 然后,此.php文件应输出Hello World。
Answer to the edit: Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it. 编辑的答案:使用preg_replace_callback获取php部分,评估它,将输入替换为输出,然后回显它。 But. 但。 If you should eval things come from database, i'm almost sure, it's a design error. 如果您应该从数据库中获取信息,我几乎可以肯定,这是设计错误。
解决方案3
0 2009-06-21 22:57:15
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. 只要代码是正确的PHP并且以分号结尾,eval()应该可以正常工作。 How about you strip off the php tag first, then eval it. 您如何首先剥离php标记,然后进行评估。
The following example was tested and works: 以下示例已经过测试并可以工作:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code. 只需确保从db中检索到的所有内容都已先经过适当的清理,因为从本质上讲,您是在允许任何可以将内容输入db的人执行代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.