PHP 클래스 Psecio\Parse\Rule\PregReplaceWithEvalModifier

With the e modifier set preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. This modifier is deprecated as of PHP 5.5 and use is highly discouraged as it can easily introduce security vulnerabilites. Example of failing code The following code can be easily exploited by passing in a string such as {${eval($_GET[php_code])}}
. This gives the attacker the ability to execute arbitrary PHP code and as such gives him nearly complete access to your server.

$html = preg_replace(
    '((.*?))e',
    '"" . strtoupper("$2") . ""',
    $_POST['html']
);

How to fix? Use the preg_replace_callback() function instead.

$html = preg_replace_callback(
    '((.*?))',
    function ($m) {
        return "" . strtoupper($m[2]) . "";
    },
    $_POST['html']
);

상속: implements Psecio\Parse\RuleInterface, use trait Psecio\Parse\Rule\Helper\NameTrait, use trait Psecio\Parse\Rule\Helper\DocblockDescriptionTrait, use trait Psecio\Parse\Rule\Helper\IsFunctionCallTrait

파일 보기 프로젝트 열기: psecio/parse

공개 메소드들

메소드	설명
isValid ( PhpParser\Node $node )

메소드 상세

isValid() 공개 메소드

public isValid ( PhpParser\Node $node )
$node	PhpParser\Node