更新时间:2022-11-27 18:50:13
不是传统意义上的 PHP 的 sprintf
不支持任何真正危险的转换,如 %n
.用户控制的格式字符串仍然会造成一些有限的破坏(考虑 %99999999s
),但我认为最坏的情况是消耗内存和时间.
Not in any traditional sense, as PHP's sprintf
doesn't support any of the really dangerous conversions like %n
. A user-controlled format string can still cause some limited havoc (consider %99999999s
), but about the worst I think it could do would be to consume memory and time.