评估函数php

时间:2018-07-29 11:37:06

标签: php html web

我正在尝试在PHP中使用eval()函数,但是我的变量(ppi)中有一个美元符号。 

$operation = "*";
$cname = mysqli_real_escape_string($link, $_REQUEST['cname']);
$to = mysqli_real_escape_string($link, $_REQUEST['email']);
$prod = mysqli_real_escape_string($link, $_REQUEST['prod']);
$desc = mysqli_real_escape_string($link, $_REQUEST['desc']);
$ppi = mysqli_real_escape_string($link, $_REQUEST['ppi']);
$items = mysqli_real_escape_string($link, $_REQUEST['items']);
$total = mysqli_real_escape_string(eval('return '.$ppi.$operation.$items.';'))

尽管已简化,但等效项可能是:

$operation = "*";
$cname = mysqli_real_escape_string($link, $_REQUEST['cname']);
$to = mysqli_real_escape_string($link, $_REQUEST['email']);
$prod = mysqli_real_escape_string($link, $_REQUEST['prod']);
$desc = mysqli_real_escape_string($link, $_REQUEST['desc']);
$ppi = '$10';
$items = '5';
$total = mysqli_real_escape_string(eval('return '.$ppi.$operation.$items.';'))

但是,每当我尝试运行此代码时,总是会收到HTTP错误500。
谢谢你,
杰克

1 个答案:

答案 0 :(得分:0)

您可以通过一一扩展字符串来解决问题:

$operation = "*";
$cname = mysqli_real_escape_string($link, $_REQUEST['cname']);
$to = mysqli_real_escape_string($link, $_REQUEST['email']);
$prod = mysqli_real_escape_string($link, $_REQUEST['prod']);
$desc = mysqli_real_escape_string($link, $_REQUEST['desc']);
$ppi = '$10';
$items = '5';

// New Bit:
$evalString = 'return ' . $ppi . $operation . $items . ';';
// $evalString = 'return $10*5;'

eval($evalString);
// This is equivalent of eval('return $10*5');
// Which errors as you can't have a variable begin with a number

注意:请注意上面的评论:最好不要使用eval,将其正确转换为ints()并评估其他方式。

相关问题
最新问题