> -----Original Message----- > From: Chris Boget [mailto:[EMAIL PROTECTED]] > Subject: Re: [PHP] Secure eval(); > > > Are you sure you have to run it through eval()? It sounds > like you're > > creating a query. Couldn't you just create the query > dynamically, then put > > it in a mysql_query() function? (or whatever DB you're > using) Then, even if > > they try some kung fu on you, it'll just result in a bad > query, not some > > rogue code being executed. > > Try some kung fu? Never heard it put like that before. :P > > I am kind of creating a query. The equation is going to look > something like > this: > > (({table1.field1} * {table2.field2}) + {table3.field3}) > > Then I'm going to get the values in those fields and parse > the above as if they > were macros (which, in a sense, they are). That could yield > something like: > > ((8 * 5) + 3) > > and it is that equation that I'm going to need to eval. So I > don't think I'll be able > to do this in a query. > > Chris
Make sure you check if the tables are valid and present in the database. But like others have suggested, you should *really* look for a better way to do this. Putting text into a database and then blindly eval()'ing it later on is just begging for trouble. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
