String equation [SOLVED]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

String equation [SOLVED]

Post by someberry »

I dont think this is possible, but can you execute a equation if it is a string? For instance:

Code: Select all

$equation = "(20/4)*10"; // Set the equation

// Do some function which will evaluate the string
echo some_function($equation); // Output: 50
Thanks.
Last edited by someberry on Wed Feb 01, 2006 12:47 pm, edited 1 time in total.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Be careful using eval() because it is a security risk. Do not use with data passed from user unless you know the security risks.

Code: Select all

some_function($equation) {
    eval("$result = $equation");
    return $result;
}
(#10850)
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

I get a parse error :(
Parse error: syntax error, unexpected '=' in J:\localhost\htdocs\_debug_tmp.php(64) : eval()'d code on line 1
And what security risks could I protect against?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

For the parse error it probably should be eval("$result = $equation;"); (Note the ending semicolon).

The security risks are huge. Say your code is $equation = "$_POST['n1'] + $_POST['n2']";. With some simple code injection a hacker can have complete access to your server.
(#10850)
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

Exactly the same error :(

I am going to be doing security checks upon the data in the $equation, so there wont be any nasties in there, just need to get it working first :)

Edit: Woo, got it working, the $result needed to be \$result :)

Thanks for all your help.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

someberry wrote:Edit: Woo, got it working, the $result needed to be \$result :)
Oops, sorry about missing that.

Remember about the security issues. In the example I gave $equation = "$_POST['n1'] + $_POST['n2']"; if for example n1 is "1" and n2 is "1; exec('somedangerourprogram arg arg');" ... well, hopefully you can see the potential for trouble.
(#10850)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Be VERY careful when using eval(), so careful infact that it is HIGHLY recommended you do NOT allow ANY user input to be passed to it as an argument.

However, for this instance you can whitelist the allowed characters..

Code: Select all

<?php

if (preg_match('#^[/\+\*\-0-9\(\)]+$#', $equation) {
    eval("\$result = $equation;");
}

?>
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference :)

Thanks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

anything with variables in it can be potential points. There may be an attack based on some (unknown) flaw in the integer or floating point handling built in as well. It's best to use a math expression parser.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

someberry wrote:What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Any global variable and and of PHP's $_ superglobals.
(#10850)
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

arborint wrote:
someberry wrote:What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Any global variable and and of PHP's $_ superglobals.
So basically, if I do a preg function on it to make sure it doesnt have any (super)globals, then it would be, for lack of better words, okay?

Thanks.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

someberry wrote:So basically, if I do a preg function on it to make sure it doesnt have any (super)globals, then it would be, for lack of better words, okay?
The more you do the better on the security front (even if you don't think you need it). But something like this would be better:

Code: Select all

$equation = '';
if (isset($_POST['n1']) && isset($_POST['n2'])) {
    $n1 = intval($_POST['n1']);
    $n2 = intval($_POST['n2']);
    if (/* check that $n1 and $n1 are valid values for your equation (e.g. div by 0) */) {
        $equation = "$n1 + $n2";
    }
}
if ($equation != '') {
// eval
} else {
// deal with error
}
(#10850)
Post Reply