PHP Класс Psecio\Parse\Rule\PregReplaceWithEvalModifier

With the e modifier set preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. This modifier is deprecated as of PHP 5.5 and use is highly discouraged as it can easily introduce security vulnerabilites. Example of failing code The following code can be easily exploited by passing in a string such as {${eval($_GET[php_code])}}
. This gives the attacker the ability to execute arbitrary PHP code and as such gives him nearly complete access to your server.

$html = preg_replace(
    '((.*?))e',
    '"" . strtoupper("$2") . ""',
    $_POST['html']
);

How to fix? Use the preg_replace_callback() function instead.

$html = preg_replace_callback(
    '((.*?))',
    function ($m) {
        return "" . strtoupper($m[2]) . "";
    },
    $_POST['html']
);

Наследование: implements Psecio\Parse\RuleInterface, use trait Psecio\Parse\Rule\Helper\NameTrait, use trait Psecio\Parse\Rule\Helper\DocblockDescriptionTrait, use trait Psecio\Parse\Rule\Helper\IsFunctionCallTrait

Показать файл Открыть проект

Открытые методы

Метод	Описание
isValid ( PhpParser\Node $node )

Описание методов

isValid() публичный Метод

public isValid ( PhpParser\Node $node )
$node	PhpParser\Node