On Thu, Feb 16, 2012 at 04:37:18PM -0500, Marc Guay wrote:
> > It shouldn't be that hard to parse this type of expressions.
> I appreciate your concern, and will do my best to validate the input,
> but there are two things:
> 1)  The application will only be used by selected users.
> and
> 2)  The range of possibilities are broader than I indicated.  They
> would like to be able to enter conditions of all sorts.  i.e.
> ($x / $y) > 0.5
> (($a+$b+$c) / $d) < .75
> etc.
> If you have any suggestions on how to increase the security while
> maintaning the flexibility, I'd be happy to hear it.
> Marc

You might try making a list of "dirty words" (in this case, not
the 4-letter type, but things you wouldn't want the user to be
able to do (mail() calls, filesystem type calls, etc.).

Another possibility might be to explode the contents of the
expression and run a call to function_exists() on it ... but
that might be a tad too broad as well.


Kevin Kinsey

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to