stackoom
  简体   繁体   中英

PHP eval error when assigning value to variable

 原文  2009-07-24 18:03:50       php/ eval

Question

I have a bit of PHP code (for the module feature of my CMS (not drupal) which allows people to view pages, comments, forum posts, blog posts, etc...): 

if(isset($_GET["m"]))
{
    //Does the module exist and activated, and has it a function called view?
    if(isset($module_exists[$_GET["m"]]) && method_exists($_GET["m"], "view"))//Yep
    {
        //Load view (should be an array)
        eval("$module_view = ".$_GET["m"]."::view();");
        if(!is_array($module_view))//Not an array :(
        {
            error::e500module($_GET["m"], $_SERVER["REQUEST_URI"]);
        }
    }
    else//Nope, so display error
    {
        error::e404($_SERVER['REQUEST_URI']);
    }
}

Now, I get this errors when parsing the page: 

Notice: Undefined variable: module_view in C:\wamp\www\SYSTEM\start.php on line 34

Parse error: parse error in C:\wamp\www\SYSTEM\start.php(34) : eval()'d code on line 1

Notice: Undefined variable: module_view in C:\wamp\www\SYSTEM\start.php on line 35

But when I do: 

eval("print_r(".$_GET["m"]."::view());");

instead of: 

eval("$module_view = ".$_GET["m"]."::view();");

I don't get any error, but simply the array printed. Does anyone know what I do wrong? I don't understand it. Please don't tell me that eval() is not safe, I know.

Thanks.

2 answers

solution1
 3 ACCPTED  2009-07-24 18:08:11

You should never do any eval. Here is the correct way to do this: 

$class = $_GET["m"];
$module_view = $class::view();

But even here, you should have an array and check that $class is an authorized module before executing any code containing it, as it's user input and user input can't be trusted: 

$class = $_GET["m"];
if (!in_array($class, $authorized_modules))
{
    header("HTTP/1.1 404 Not Found"); // always good to send a 404 in these cases, so search engines won't index the url
    die("Content not found");
}
$module_view = $class::view();

Just so you know, your error is because you have to escape your variable in the eval: 

eval("\$module_view = ".$_GET["m"]."::view();");

Else it's evaluated before it's given as a string to the eval().

solution2
 0  2009-07-24 18:09:52

You could use call_user_func() instead of eval() 

$module_view = call_user_func(array($_GET["m"], 'view'));

See the docs for the callback pseudo-type

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Benefit of assigning a variable via eval in php? Assigning Array Value to variable PHP What is the difference between “&=” and “=&” when assigning a variable value in PHP? PHP, assigning a value to a variable by reference PHP: Assigning an AJAX response value into PHP Variable Assigning HTML value to PHP variable - best practice? PHP/MySQL Prepared statement not assigning a value to a variable? php public property default value assigning as variable Problem in assigning js value to php variable Assigning a CSS style to a variable value in PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM