问题
Upon reading https://stackoverflow.com/review/first-posts/3429940 (is PHP eval() really dangerous?)
And http://dhorrigan.com/post/30395987906/is-eval-really-evil-yes-and-no
I am wondering if the ColdFusion equivalent has similar issues.
回答1:
I think the warnings on the PHP function are histrionic & a bit facile, because they focus on one specific misuse of the construct, rather than its general purpose.
evaluate() will be less prone to this because it cannot execute any amount of code, it can simply evaluate individual expressions (albeit more than one, separately and disconnectedly executed).
The thing is - and this is touched on in the PHP articles too - it's just seldom, if ever, needed. If you find yourself using it... you're probably doing something wrong.
For further reading, I discuss this on my blog: "evalulate() is really slow". Is it now?
来源:https://stackoverflow.com/questions/20179728/is-coldfusion-evaluate-really-dangerous