Page 1 of 1
String equation [SOLVED]
Posted: Wed Feb 01, 2006 12:24 pm
by someberry
I dont think this is possible, but can you execute a equation if it is a string? For instance:
Code: Select all
$equation = "(20/4)*10"; // Set the equation
// Do some function which will evaluate the string
echo some_function($equation); // Output: 50
Thanks.
Posted: Wed Feb 01, 2006 12:28 pm
by Christopher
Be careful using eval() because it is a security risk. Do not use with data passed from user unless you know the security risks.
Code: Select all
some_function($equation) {
eval("$result = $equation");
return $result;
}
Posted: Wed Feb 01, 2006 12:34 pm
by someberry
I get a parse error
Parse error: syntax error, unexpected '=' in J:\localhost\htdocs\_debug_tmp.php(64) : eval()'d code on line 1
And what security risks could I protect against?
Posted: Wed Feb 01, 2006 12:40 pm
by Christopher
For the parse error it probably should be eval("$result = $equation;"); (Note the ending semicolon).
The security risks are huge. Say your code is $equation = "$_POST['n1'] + $_POST['n2']";. With some simple code injection a hacker can have complete access to your server.
Posted: Wed Feb 01, 2006 12:44 pm
by someberry
Exactly the same error
I am going to be doing security checks upon the data in the $equation, so there wont be any nasties in there, just need to get it working first
Edit: Woo, got it working, the $result needed to be \$result
Thanks for all your help.
Posted: Wed Feb 01, 2006 2:15 pm
by Christopher
someberry wrote:Edit: Woo, got it working, the $result needed to be \$result

Oops, sorry about missing that.
Remember about the security issues. In the example I gave
$equation = "$_POST['n1'] + $_POST['n2']"; if for example n1 is "1" and n2 is "1; exec('somedangerourprogram arg arg');" ... well, hopefully you can see the potential for trouble.
Posted: Wed Feb 01, 2006 5:36 pm
by Jenk
Be VERY careful when using eval(), so careful infact that it is HIGHLY recommended you do NOT allow ANY user input to be passed to it as an argument.
However, for this instance you can whitelist the allowed characters..
Code: Select all
<?php
if (preg_match('#^[/\+\*\-0-9\(\)]+$#', $equation) {
eval("\$result = $equation;");
}
?>
Posted: Sat Feb 04, 2006 2:43 am
by someberry
What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Thanks.
Posted: Sat Feb 04, 2006 4:48 am
by feyd
anything with variables in it can be potential points. There may be an attack based on some (unknown) flaw in the integer or floating point handling built in as well. It's best to use a math expression parser.
Posted: Sat Feb 04, 2006 12:10 pm
by Christopher
someberry wrote:What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Any global variable and and of PHP's $_ superglobals.
Posted: Sat Feb 04, 2006 4:32 pm
by someberry
arborint wrote:someberry wrote:What particular bits of code should I look out for when using eval()? I know I am only using numbers which is safe for this time, but for future reference
Any global variable and and of PHP's $_ superglobals.
So basically, if I do a preg function on it to make sure it doesnt have any (super)globals, then it would be, for lack of better words, okay?
Thanks.
Posted: Sat Feb 04, 2006 7:34 pm
by Christopher
someberry wrote:So basically, if I do a preg function on it to make sure it doesnt have any (super)globals, then it would be, for lack of better words, okay?
The more you do the better on the security front (even if you don't think you need it). But something like this would be better:
Code: Select all
$equation = '';
if (isset($_POST['n1']) && isset($_POST['n2'])) {
$n1 = intval($_POST['n1']);
$n2 = intval($_POST['n2']);
if (/* check that $n1 and $n1 are valid values for your equation (e.g. div by 0) */) {
$equation = "$n1 + $n2";
}
}
if ($equation != '') {
// eval
} else {
// deal with error
}