json_decode安全性
[英]json_decode security
问题描述
Is PHP's json_decode() secure as opposed to eval()? 
PHP的json_decode()是否安全而不是eval()? The eval() function can run code, but does json_decode() do that as well? eval()函数可以运行代码,但json_decode()也可以运行吗?
2 个解决方案
解决方案1
6 2011-09-12 18:21:44
Since JSON can only represent data, json_decode will not execute php code. 由于JSON只能表示数据,因此json_decode不会执行php代码。
However, just like any other function, the implementation of json_decode could be buggy and allow arbitrary (binary, not (only) php) code execution, for example with a buffer overflow . 但是,就像任何其他函数一样, json_decode的实现可能是错误的并允许任意(二进制,而不是(仅)php)代码执行,例如缓冲区溢出 。 Due to the relatively simple and widely used code, this is unlikely, and there is nothing you can or should do in a php program to mitigate that. 由于相对简单和广泛使用的代码,这是不太可能的,并且在php程序中没有什么可以或应该做的来缓解这一点。
解决方案2
1 2011-09-12 18:31:49
eval() and json_decode() are two different functions, i don't know why you think they are similar. eval()和json_decode()是两个不同的函数,我不知道为什么你认为它们是相似的。 One evaluate a string as PHP code and the other decodes a JSON string. 一个将字符串评估为PHP代码,另一个将JSON字符串解码。 Nothing is executed when json_decode is run. 运行json_decode时不执行任何操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.