PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
For the parse error it probably should be eval("$result = $equation;"); (Note the ending semicolon).
The security risks are huge. Say your code is $equation = "$_POST['n1'] + $_POST['n2']";. With some simple code injection a hacker can have complete access to your server.
someberry wrote:Edit: Woo, got it working, the $result needed to be \$result
Oops, sorry about missing that.
Remember about the security issues. In the example I gave $equation = "$_POST['n1'] + $_POST['n2']"; if for example n1 is "1" and n2 is "1; exec('somedangerourprogram arg arg');" ... well, hopefully you can see the potential for trouble.
What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
anything with variables in it can be potential points. There may be an attack based on some (unknown) flaw in the integer or floating point handling built in as well. It's best to use a math expression parser.
someberry wrote:What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Any global variable and and of PHP's $_ superglobals.
someberry wrote:What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Any global variable and and of PHP's $_ superglobals.
So basically, if I do a preg function on it to make sure it doesnt have any (super)globals, then it would be, for lack of better words, okay?
someberry wrote:So basically, if I do a preg function on it to make sure it doesnt have any (super)globals, then it would be, for lack of better words, okay?
The more you do the better on the security front (even if you don't think you need it). But something like this would be better:
$equation = '';
if (isset($_POST['n1']) && isset($_POST['n2'])) {
$n1 = intval($_POST['n1']);
$n2 = intval($_POST['n2']);
if (/* check that $n1 and $n1 are valid values for your equation (e.g. div by 0) */) {
$equation = "$n1 + $n2";
}
}
if ($equation != '') {
// eval
} else {
// deal with error
}