RE: [PHP] Secure eval();

2002-05-21 Thread Scott Hurring
> -Original Message- > From: Chris Boget [mailto:[EMAIL PROTECTED]] > Subject: Re: [PHP] Secure eval(); > > > Are you sure you have to run it through eval()? It sounds > like you're > > creating a query. Couldn't you just create the query > dynam

Re: [PHP] Secure eval();

2002-05-21 Thread Chris Boget
> Are you sure you have to run it through eval()? It sounds like you're > creating a query. Couldn't you just create the query dynamically, then put > it in a mysql_query() function? (or whatever DB you're using) Then, even if > they try some kung fu on you, it'll just result in a bad query, not s

Re: [PHP] Secure eval();

2002-05-21 Thread 1LT John W. Holmes
bad query, not some rogue code being executed. ---John Holmes... - Original Message - From: "Chris Boget" <[EMAIL PROTECTED]> To: "1LT John W. Holmes" <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]> Sent: Tuesday, May 21, 2002 10:17 AM S

Re: [PHP] Secure eval();

2002-05-21 Thread Chris Boget
> You'll have to come up with a regular expression to check for bad > characters. How complex are the equations? If they are like your example, > you can just check that the equation doesn't have any letters and is only > made up of [0-9+*-/()] characters. It's pretty complex. What I gave was a

Re: [PHP] Secure eval();

2002-05-21 Thread 1LT John W. Holmes
al Message - From: "Chris Boget" <[EMAIL PROTECTED]> To: "PHP General" <[EMAIL PROTECTED]> Sent: Tuesday, May 21, 2002 9:47 AM Subject: [PHP] Secure eval(); > I need to store equations in a DB for later use. For example, > something like the following might

[PHP] Secure eval();

2002-05-21 Thread Chris Boget
I need to store equations in a DB for later use. For example, something like the following might appear in one of the fields: (( 2 * 3 ) + 7 ) / ( 8 / 4 ) So I want to eval() *only* equations. However, there is nothing stoping someone from entering in a valid PHP command that accesses the file