I keep getting
file: C:\xampp\htdocs\doit.php(45) : eval()'d code line: 1
I have searched the site and can not find a fix that works for me this is the code that I am using that is giving the issue
$ec = "\$sucrate=" . str_replace(array("LEVEL", "EXP", "WILL", "IQ"), array($player['level'], $player['exp'], $player['will'], $player['IQ']), $r['crimePERCFORM']) . ";";
eval($ec);
2条答案
按热度按时间ldioqlga1#
The string you are building would need quotes around the
str_replace
'd string (and possibly another string_replace pair also to prevent quote issues).Example:
However, while that should fix your issue, there is almost never a good case for using
eval
. It will certainly leave your code vulnerable to some sort of remote execution hack no matter what "protections" you put in place that would allow anyone to run any code on your server as if it was written by you.This would do exactly that same thing, which is just setting the
$sucrate
variable with your replaced values.anauzrmj2#
I got carried away and have thought about how to improve it this might not actually be an answer to your question but more of a food-for-thought. I see two solutions, and both are kind of invasive.
Of course both solutions only work in all the cases if your formula only use "variables" like in your example with
((WILL*0.8)/2.5)+(LEVEL/4)
. If you have more complex formulas you'd have do adapt my solutions.Wrapping eval and don't inject all the inputs in the eval'd code
Assuming the formulas are under your control and not user-supplied you could improve your eval by not injecting all the inputs in your eval'd code but only the formula. This way you don't have to escape the inputs, you only have to make sure the formula is syntactically correct.
This still uses eval, so security-wise this would be the worst solution. But this would be the closest to what you have now.
Using Symfony's Expression Language
The more secure option would be to use something like the symfony's expression language component . Now you don't need the whole symfony framework in your application, the expression language component can be used on it's own. This could be a big change, this depends on how your existing codebase looks. If you have not used composer or namespaces in your project, this change might be too big.
As I've said this is maybe a huge change and you might have to get acquainted with composer if you don't know it already.