我在我的网站上使用这块code。 如果数组中有PHP代码,并且如果您回显它,则它不会运行。
有一段代码;
function spin($var){
$words = explode("{",$var);
foreach ($words as $word)
{
$words = explode("}",$word);
foreach ($words as $word)
{
$words = explode("|",$word);
$word = $words[array_rand($words, 1)];
echo $word." ";
}
}
}
$text = "example.com is {the best forum|a <? include(\"myfile.php\");?>Forum|a wonderful Forum|a perfect Forum} {123|some other sting}";
spin($text);
不包含需要包含“ myfile.php ”的文件。并且PHP代码将是可见的。这是为什么?我该如何解决这个问题?
答案 0 :(得分:3)
我相信你会希望通过eval()
运行include语句。但请注意:
“eval()语言结构非常危险,因为它允许执行任意PHP代码。因此不鼓励使用它。如果你仔细验证除了使用这个结构之外别无选择,请特别注意不要将任何用户提供的数据传递给它,而不事先正确验证它。“ (PHP.net)
消息来源:http://php.net/manual/en/function.eval.php
您可以尝试以下方法:
<?php
function spin($var)
{
$words = explode("\{",$var);
foreach ($words as $word)
{
$words = explode("}",$word);
foreach ($words as $word)
{
$words = explode("|",$word);
$word = $words[array_rand($words, 1)];
if ( preg_match( "/\<\? include\(\\\"([A-Za-z\.]+)\\\"\)\;\?\>/", $word ) )
{
$file = preg_replace( "/^.*\<\? include\(\\\"([A-Za-z\.]+)\\\"\)\;\?\>.*\$/", "\$1", $word );
$pre = preg_replace( "/^(.*)\<\? include\(\\\"[A-Za-z\.]+\\\"\)\;\?\>.*\$/", "\$1", $word );
$post = preg_replace( "/^.*\<\? include\(\\\"[A-Za-z\.]+\\\"\)\;\?\>(.*)\$/", "\$1", $word );
echo $pre;
include( $file );
echo $post;
}
}
}
}
$text = "example.com is {the best forum|a <? include(\"myfile.php\");?>Forum|a wonderful Forum|a perfect Forum} {123|some other sting}";
spin($text);
?>
答案 1 :(得分:1)
我的建议是另一种方式,
function spin($var){
$words = explode("{",$var);
foreach ($words as $word)
{
$words = explode("}",$word);
foreach ($words as $word)
{
$words = explode("|",$word);
$word = $words[array_rand($words, 1)];
if(str_replace(" ","",$word) == 'thisparam'){
echo 'a';
include("myfile.php");
echo 'Forum';
}else{
echo $word." ";
}
}
}
}
$text = "example.com is {the best forum| thisparam |a wonderful Forum|a perfect Forum} {123|some other sting}";
spin($text);
其中thisparam是变量$ test是运行if语句的参数。 我放置一个$ word的str_replace来替换字符串以获得确切的单词。
答案 2 :(得分:0)
毕竟它只是一串文字。 echo只输出文本......
我建议您使用eval
http://php.net/manual/en/function.eval.php
我真的不知道你为什么要这样做。每当我需要使用eval
和朋友时,我就会停下来思考“我应该这样做吗?”