如何解析PHP数组中的PHP代码?

时间:2012-01-06 13:11:47

标签: php parsing

我在我的网站上使用这块code。 如果数组中有PHP代码,并且如果您回显它,则它不会运行。

有一段代码; 

function spin($var){
$words = explode("{",$var);
foreach ($words as $word)
{
    $words = explode("}",$word);
    foreach ($words as $word)
    {
        $words = explode("|",$word);
        $word = $words[array_rand($words, 1)];        
        echo $word." ";

    }

}
}

$text = "example.com is {the best forum|a <? include(\"myfile.php\");?>Forum|a wonderful Forum|a perfect Forum} {123|some other sting}";
spin($text);

不包含需要包含“ myfile.php ”的文件。并且PHP代码将是可见的。这是为什么?我该如何解决这个问题?

3 个答案:

答案 0 :(得分:3)

我相信你会希望通过eval()运行include语句。但请注意:

“eval()语言结构非常危险,因为它允许执行任意PHP代码。因此不鼓励使用它。如果你仔细验证除了使用这个结构之外别无选择,请特别注意不要将任何用户提供的数据传递给它,而不事先正确验证它。“ (PHP.net)

消息来源:http://php.net/manual/en/function.eval.php

您可以尝试以下方法:

<?php
  function spin($var)
  {
     $words = explode("\{",$var);
        foreach ($words as $word)
        {
           $words = explode("}",$word);
           foreach ($words as $word)
           {
              $words = explode("|",$word);
              $word = $words[array_rand($words, 1)];        

              if ( preg_match( "/\<\? include\(\\\"([A-Za-z\.]+)\\\"\)\;\?\>/", $word ) )
              {
                 $file = preg_replace( "/^.*\<\? include\(\\\"([A-Za-z\.]+)\\\"\)\;\?\>.*\$/", "\$1", $word );
                 $pre = preg_replace( "/^(.*)\<\? include\(\\\"[A-Za-z\.]+\\\"\)\;\?\>.*\$/", "\$1", $word );
                 $post = preg_replace( "/^.*\<\? include\(\\\"[A-Za-z\.]+\\\"\)\;\?\>(.*)\$/", "\$1", $word );

                 echo $pre;
                 include( $file );
                 echo $post;
              }
          }
      }
   }

   $text = "example.com is {the best forum|a <? include(\"myfile.php\");?>Forum|a          wonderful Forum|a perfect Forum} {123|some other sting}";
   spin($text);
?>

答案 1 :(得分:1)

我的建议是另一种方式,

function spin($var){
$words = explode("{",$var);
foreach ($words as $word)
{
    $words = explode("}",$word);
    foreach ($words as $word)
    {
        $words = explode("|",$word);
        $word = $words[array_rand($words, 1)];
        if(str_replace(" ","",$word) == 'thisparam'){
            echo 'a'; 
                include("myfile.php");
            echo 'Forum';
        }else{
            echo $word." ";
        }
    }
}
}

$text = "example.com is {the best forum| thisparam |a wonderful Forum|a perfect Forum} {123|some other sting}";
spin($text);

其中thisparam是变量$ test是运行if语句的参数。 我放置一个$ word的str_replace来替换字符串以获得确切的单词。

答案 2 :(得分:0)

毕竟它只是一串文字。 echo只输出文本......

我建议您使用eval http://php.net/manual/en/function.eval.php

我真的不知道你为什么要这样做。每当我需要使用eval和朋友时,我就会停下来思考“我应该这样做吗?”

相关问题
最新问题