You'll have to come up with a regular expression to check for bad
characters. How complex are the equations? If they are like your example,
you can just check that the equation doesn't have any letters and is only
made up of [0-9+*-/()] characters.

---John Holmes...

----- Original Message -----
From: "Chris Boget" <[EMAIL PROTECTED]>
Sent: Tuesday, May 21, 2002 9:47 AM
Subject: [PHP] Secure eval();

> I need to store equations in a DB for later use.  For example,
> something like the following might appear in one of the fields:
> (( 2 * 3 ) + 7 ) / ( 8 / 4 )
> So I want to eval() *only* equations.  However, there is nothing
> stoping someone from entering in a valid PHP command that
> accesses the file system.  While only a certain class of user
> will be able to access the page that allows the input of this
> of this equation, there isn't anything to stop them from entering
> malicious code.
> So my question, aside from parsing the value of the field, is there
> any way to run eval so that it won't run system commands?  So
> that it will only run mathematical equations?  Has anyone already
> come up with this kind of code?  Suggestions?  Ideas?
> thnx,
> Chris
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to