eval

摘要：PHP命令注入攻击漏洞是PHP应用程序中常见的脚本漏洞之一，国内著名的Web应用程序Discuz!、DedeCMS等都曾经存在过该类型漏洞。本文描述了常见的PHP命令注入攻击漏洞存在形式和利用方法，结合漏洞实例进行分析和漏洞利用，并针对如何防范PHP命令注入攻击漏洞给出了可行的方法和建议。 PHP命令注入攻击漏洞是PHP应用程序中常见的脚本漏洞之一，国内著名的Web应用程序Discuz!、DedeCMS等都曾经存在过该类型漏洞。本文描述了常见的PHP命令注入攻击漏洞存在形式和利用方法，结合漏洞实例进行分析和漏洞利用，并针对如何防范PHP命令注入攻击漏洞给出了可行的方法和建议。 Command Injection，即命令注入攻击，是指由于Web应用程序对用户提交的数据过滤不严格，导致黑客可以通过构造特殊命令字符串的方式，将数据提交至Web应用程序中，并利用该方式执行外部程序或系统命令实施攻击，非法获取数据或者网络资源等。命令注入攻击最初被称为Shell命令注入攻击，是由挪威一名程序员在1997年意外发现的，他通过构造命令字符串的方式从一个网站删除网页，就像从硬盘中删除一个文件一样简单。下面我们结合PHP语言的特性，对PHP命令注入攻击进行简要的分析和描述。 PHP命令注入攻击 PHP命令注入攻击存在的主要原因是Web应用程序员在应用PHP语言中一些具有命令执行功能的函数时

I have a string, something like this: "[['Cheese', 72], ['Milk', 45], ['Bread', 22]]" . I want to convert this to a list. I know I can use eval(string) to get the list, but eval scares me because of its potential for catastrophe (and because I can get a non-list as valid output). Is there another saner/safer way to turn this string into a list? I know it's a list and anything that isn't a list is invalid data (and should be checked for and/or throw an error). If you insist on doing it this way, you can use the ast.literal_eval function. >>> import ast >>> foo = "[['Cheese', 72], ['Milk', 45],

I have a string that I want to have PHP read as a piece of code. The reason is that I want to build the set of instructions for PHP in advance, and then execute it later on. Currently I have: $string = '$this->model_db->get_results()'; And the desired result is: $string2 = $this->model_db->get_results(); you can have a variable variable/function, but cannot have variable method chains. you can however create a method chain using variable variables/functions. Check this page of the php documentation: http://php.net/manual/en/language.variables.variable.php it shows the usage of using strings as

How could I evaluate at mathematical string without using eval? Example: mathstring = "3+3" Anyway that can be evaluated without using eval? Maybe something with regex..? mdesantis You must either or eval it, or parse it; and since you don't want to eval : mathstring = '3+3' i, op, j = mathstring.scan(/(\d+)([+\-*\/])(\d+)/)[0] #=> ["3", "+", "3"] i.to_i.send op, j.to_i #=> 6 If you want to implement more complex stuff you could use RubyParser (as @LBg wrote here - you could look at other answers too) I'm assuming you don't want to use eval because of security reasons, and it is indeed very

I'm trying to create a generic build template for my Makefiles, kind of like they discuss in the eval documentation . I've run into a known bug with GNU Make 3.80. When $(eval) evaluates a line that is over 193 characters, Make crashes with a "Virtual Memory Exhausted" error. The code I have that causes the issue looks like this. SRC_DIR = ./src/ PROG_NAME = test define PROGRAM_template $(1)_SRC_DIR = $$(SRC_DIR)$(1)/ $(1)_SRC_FILES = $$(wildcard $$($(1)_SRC_DIR)*.c) $(1)_OBJ_FILES = $$($(1)_SRC_FILES):.c=.o) $$($(1)_OBJ_FILES) : $$($(1)_SRC_FILES) # This is the problem line endef $(eval $

Background : I'm working on a framework/library to be used for a specific site in coordination with greasemonkey/userscripts. This framework/library will allow for addon support. The way it will work is an addon registers with the library listing required pages, resources, ectera and the library will wait until all critera is met to call the addon's load() function. The Issue :In this listing of 'required stuff' I want addon devs to be able to specify javascript(as string) to be evaluated as a 'required resource'. For example 'document.getElementById("banana")' . What I want to do is semi

Suppose I have 1) a HTML document. 2) This HTML document loads Javascript file "code.js" like this: <script src="code.js"> 3) User clicks button which runs "fetchdata" function in "code.js", 4) "fetchdata" function looks like this: var xmlhttp = new XMLHttpRequest(); xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState==4) { myjsdata = xmlhttp.responseText; } } xmlhttp.open("GET", 'http://www.example.com/data.js', false); xmlhttp.send(null); ... Now how do I do the following successfully: I want to insert/eval my Javascript in a way, so all functions in "code.js" including

js的json序列化和反序列化 （1）序列化1765243235 　　即js中的Object转化为字符串 1.使用toJSONString var last=obj.toJSONString(); //将JSON对象转化为JSON字符 2.使用stringify var last=JSON.stringify(obj); //将JSON对象转化为JSON字符 （2）反序列化 即js中JSON字符串转化为Object 1.使用parse var obj = JSON.parse(data); //由JSON字符串转换为JSON对象 2.使用parseJSON var obj = data.parseJSON(); //由JSON字符串转换为JSON对象 3.使用eval var obj=eval("("+data+")"); 为什么要 eval这里要添加 "("+data+");//”呢？ 原因在于：eval本身的问题。 由于json是以”{}”的方式来开始以及结束的，在JS中，它会被当成一个语句块来处理，所以必须强制性的将它转换成一种表达式。 （1）序列化1765243235 　　即js中的Object转化为字符串 1.使用toJSONString var last=obj.toJSONString(); //将JSON对象转化为JSON字符 2.使用stringify var

I have a hyperlink with the navigate property set like this: NavigateUrl='<%# Eval("My Text") %>' How can I limit the string to 140 characters ? I have tried this Eval("My Text").ToString().Substring(0,140) but if the string length is less than 140 characters it throws an exception. And yet an other possibility: Eval("My Text").ToString().PadRight(140).Substring(0,140).TrimEnd() Edit: I do like LINQ, too: Eval("My Text").ToString().Take(140).Aggregate("", (x,y) => x + y) Use It (: < % # Eval("MyText").ToString().Length <= 30 ? Eval("MyText") : Eval("MyText").ToString().Substring(0, 30)+"..." %