php 屏蔽 eval,安装Suhosin屏蔽php eval()

eval()不是函数。所以不能用disable_function()来屏蔽。

可以安装php扩展实现屏蔽。wget https://download.suhosin.org/suhosin-0.9.38.tar.gz --no-check-certificate

tar -xzvf suhosin-0.9.38.tar.gz

cd suhosin-0.9.38

yum install php-devel -y

phpize

./configure

make

make install

vi /etc/php.ini

插入：extension= /usr/lib64/php/modules/suhosin.so

suhosin.executor.disable_eval = On

suhosin.executor.eval.whitelist =

suhosin.executor.eval.blacklist = include, include_once, require, require_once, curl_init, fpassthru, file, base64_encode, base64_decode, mail, exec, system, proc_open, leak, syslog, pfsockopen, shell_exec, ini_restore, symlink, stream_socket_server, proc_nice, popen, proc_get_status, dl, pcntl_exec, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept, socket_bind, socket_connect, socket_create, socket_create_listen, socket_create_pair, link, register_shutdown_function, register_tick_function

测试屏蔽是否成功：

$string = 'cup'; $name = 'coffee';

$str = 'This is a $string with my $name in it.';

echo $str. "\n";

eval("\$str = \"$str\";");

echo $str. "\n";

phpinfo();