Re: [PHP] Secure eval();
You'll have to come up with a regular expression to check for bad characters. How complex are the equations? If they are like your example, you can just check that the equation doesn't have any letters and is only made up of [0-9+*-/()] characters. ---John Holmes... - Original Message - From: Chris Boget [EMAIL PROTECTED] To: PHP General [EMAIL PROTECTED] Sent: Tuesday, May 21, 2002 9:47 AM Subject: [PHP] Secure eval(); I need to store equations in a DB for later use. For example, something like the following might appear in one of the fields: (( 2 * 3 ) + 7 ) / ( 8 / 4 ) So I want to eval() *only* equations. However, there is nothing stoping someone from entering in a valid PHP command that accesses the file system. While only a certain class of user will be able to access the page that allows the input of this of this equation, there isn't anything to stop them from entering malicious code. So my question, aside from parsing the value of the field, is there any way to run eval so that it won't run system commands? So that it will only run mathematical equations? Has anyone already come up with this kind of code? Suggestions? Ideas? thnx, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Secure eval();
You'll have to come up with a regular expression to check for bad characters. How complex are the equations? If they are like your example, you can just check that the equation doesn't have any letters and is only made up of [0-9+*-/()] characters. It's pretty complex. What I gave was a very simplistic example. The numbers are actually going to be table.fieldnames and the values in those fields are going to be referenced to get the actual number used in the equation. However, once I interpolate the fieldnames to numbers I guess I could run the equation against some sort of regex to make sure that it's valid. hmmm Might be easier than I thought. Thanks for the input! Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Secure eval();
Are you sure you have to run it through eval()? It sounds like you're creating a query. Couldn't you just create the query dynamically, then put it in a mysql_query() function? (or whatever DB you're using) Then, even if they try some kung fu on you, it'll just result in a bad query, not some rogue code being executed. ---John Holmes... - Original Message - From: Chris Boget [EMAIL PROTECTED] To: 1LT John W. Holmes [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Tuesday, May 21, 2002 10:17 AM Subject: Re: [PHP] Secure eval(); You'll have to come up with a regular expression to check for bad characters. How complex are the equations? If they are like your example, you can just check that the equation doesn't have any letters and is only made up of [0-9+*-/()] characters. It's pretty complex. What I gave was a very simplistic example. The numbers are actually going to be table.fieldnames and the values in those fields are going to be referenced to get the actual number used in the equation. However, once I interpolate the fieldnames to numbers I guess I could run the equation against some sort of regex to make sure that it's valid. hmmm Might be easier than I thought. Thanks for the input! Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Secure eval();
Are you sure you have to run it through eval()? It sounds like you're creating a query. Couldn't you just create the query dynamically, then put it in a mysql_query() function? (or whatever DB you're using) Then, even if they try some kung fu on you, it'll just result in a bad query, not some rogue code being executed. Try some kung fu? Never heard it put like that before. :P I am kind of creating a query. The equation is going to look something like this: (({table1.field1} * {table2.field2}) + {table3.field3}) Then I'm going to get the values in those fields and parse the above as if they were macros (which, in a sense, they are). That could yield something like: ((8 * 5) + 3) and it is that equation that I'm going to need to eval. So I don't think I'll be able to do this in a query. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Secure eval();
-Original Message- From: Chris Boget [mailto:[EMAIL PROTECTED]] Subject: Re: [PHP] Secure eval(); Are you sure you have to run it through eval()? It sounds like you're creating a query. Couldn't you just create the query dynamically, then put it in a mysql_query() function? (or whatever DB you're using) Then, even if they try some kung fu on you, it'll just result in a bad query, not some rogue code being executed. Try some kung fu? Never heard it put like that before. :P I am kind of creating a query. The equation is going to look something like this: (({table1.field1} * {table2.field2}) + {table3.field3}) Then I'm going to get the values in those fields and parse the above as if they were macros (which, in a sense, they are). That could yield something like: ((8 * 5) + 3) and it is that equation that I'm going to need to eval. So I don't think I'll be able to do this in a query. Chris Make sure you check if the tables are valid and present in the database. But like others have suggested, you should *really* look for a better way to do this. Putting text into a database and then blindly eval()'ing it later on is just begging for trouble. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php