eval()不是函数。所以不能用disable_function()来屏蔽。
可以安装php扩展实现屏蔽。
要求php版本在5.4以上。如果不够的话。需要升级php
CentOS 6:
https://www.tecmint.com/install-php-5-4-php-5-5-or-php-5-6-on-centos-6/
CentOS 7:
https://www.tecmint.com/install-php-5-6-on-centos-7/
wget https://download.suhosin.org/suhosin-0.9.38.tar.gz --no-check-certificate tar -xzvf suhosin-0.9.38.tar.gz cd suhosin-0.9.38 yum install php-devel -y phpize ./configure make make install vi /etc/php.ini
插入:
extension= /usr/lib64/php/modules/suhosin.so suhosin.executor.disable_eval = On
更多用法:
https://suhosin.org/stories/howtos.html
suhosin.executor.eval.whitelist =
suhosin.executor.eval.blacklist = include, include_once, require, require_once, curl_init, fpassthru, file, base64_encode, base64_decode, mail, exec, system, proc_open, leak, syslog, pfsockopen, shell_exec, ini_restore, symlink, stream_socket_server, proc_nice, popen, proc_get_status, dl, pcntl_exec, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept, socket_bind, socket_connect, socket_create, socket_create_listen, socket_create_pair, link, register_shutdown_function, register_tick_function
测试屏蔽是否成功:
$string = 'cup'; $name = 'coffee';
$str = 'This is a $string with my $name in it.';
echo $str. "\n";
eval("\$str = \"$str\";");
echo $str. "\n";
phpinfo();
