I really have to use eval()

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
AlejoR
Forum Newbie
Posts: 6
Joined: Wed Apr 22, 2009 1:39 pm
Location: Colombia

I really have to use eval()

Post by AlejoR »

Hi, I really have to use eval() in my project, so what can I do to mitigate the risk?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: I really have to use eval()

Post by Benjamin »

Post your code.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: I really have to use eval()

Post by Christopher »

AlejoR wrote:Hi, I really have to use eval() in my project,
Unless it is a class assignment requiring eval() you probably don't. ;)
AlejoR wrote:so what can I do to mitigate the risk?
Nothing evaluated can come from anyone but you.
(#10850)
User avatar
AlejoR
Forum Newbie
Posts: 6
Joined: Wed Apr 22, 2009 1:39 pm
Location: Colombia

Re: I really have to use eval()

Post by AlejoR »

Of course, I'd like to find a different way, perhaps you could help me.

I have to allow my administrator users to configure a description of a payment bill like this (for example):

Description: 'Check Number: ' . $document_to_pay . ' to ' . $client['name']
They fill this in a textbox and i save it to the field description_expression of a mysql table.

Later when the payment process is executed I do this:

Code: Select all

 
$document_to_pay='1234';
$client_id='0001';
list($configured_bill_id = mysql_fetch_row(mysql_query("select bill_id from documents_to_pay where document_id = '$document_to_pay'")));
list($description_expression = mysql_fetch_row(mysql_query("select description_expression from payment_bills where bill_id = '$configured_bill_id'")));
$client = mysql_fetch_assoc(mysql_query("select name,address... from clients where client_id = '$client_id'"));
eval('$description = '.$description_expression.';');
echo $description;  // Check Number: 1234 to Jhon Connor
 
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: I really have to use eval()

Post by Christopher »

That is some of the wackiest PHP I have seen in a while. ;)

I think I would allow them to just enter template tags then do something like this:

Code: Select all

// this string is what admins would enter. It can contain any tags you want to support
$description_template = 'Check Number: {document_to_pay} to {client_name}';
// you can call str_replace() multiple times or pass arrays
echo str_replace(array('{document_to_pay}', '{client_name}'), array($document_to_pay, $client['name']), $description_template);
 
(#10850)
User avatar
AlejoR
Forum Newbie
Posts: 6
Joined: Wed Apr 22, 2009 1:39 pm
Location: Colombia

Re: I really have to use eval()

Post by AlejoR »

Thanks, yes, you're right.
And what about, when I have to do calculations.

Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);

I save this in field expression_for_valor.

$datoslab comes from a database;

And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000

Forgive my stupidity.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: I really have to use eval()

Post by kaisellgren »

8O

...

How about

Code: Select all

$holder = 'description';
$$holder = $description_expression;
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: I really have to use eval()

Post by Christopher »

AlejoR wrote:Thanks, yes, you're right.
And what about, when I have to do calculations.

Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);

I save this in field expression_for_valor.

$datoslab comes from a database;

And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000

Forgive my stupidity.
You do the calculations and replace any tags with values that you want to make available. So you could replace "{valor}" with $v_valor. You make available all values that admins need to display.

Also, don't put values in a string and then eval them to use later. Pass them or calculate them as needed.
(#10850)
Post Reply