Shulou(Shulou.com)06/01 Report--

Recently, due to the needs of the project, led to a topic: how to execute string php code (php and html mixed).

Note: traditionally, php code is stored in a file and can be run directly. The following discussion is, if the php code is obtained from the database, then how to run it?

The most intuitive solution

Write the string code to a temporary file, then include the file in the project, and delete the temporary file after execution.

System functions such as system exec

Php function eval (will there be security problems?)

Further wishful thinking

Take the string code as a parameter and pass it to cli or php-fpm of php to run

Redefine include so that include can manipulate strings directly

Verification of several ideas

1: write a temporary file, then include the file. There is no doubt that it is feasible. Then don't you have to write a file every time and write a file once for every request? Well, there's always a solution, such as caching + expiration verification, but it always feels like it's not professional enough.

Functions like 2:system exec. If you think about it a little bit, you will see that such functions execute system commands, not run php code.

The 3:eval function, the manual says:

Caution: The eval () language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

4: is there any way to solve this kind of problem in php-fpm cli mode?

The initial idea is to pass the string code to the fpm cli mode and wait for the result to be returned.

But there is a hard wound, and the string code that needs to be executed is contextual. For example, if the string code uses a variable $_ GET, if the string code is passed to fpm and the $_ GET variable is not passed, the code still won't work properly.

Can 5:include manipulate strings directly?

Well, none of the previous four methods seems to be satisfied, so let's dig deeper into this idea.

First of all, what is the principle of include in php?

Did not look at the source code, guess, 1: read files (fopen,fread and so on) 2: parse php syntax 3: run the code

So, if you can let fopen,fread manipulate strings, maybe this problem will be solved?

Imagine converting a string to an object or stream, providing a fopen,fread interface. First of all, it is thought that there should be such interfaces in php's SPL. Check the official php manual and find the chapter on "supported protocols and encapsulation protocols" in php manual (colleagues also mentioned the way to use custom protocols). The following is the simplest demo for testing: (encapsulating custom protocols and directly manipulating strings using include)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.