I really have to use eval()
Moderator: General Moderators
I really have to use eval()
Hi, I really have to use eval() in my project, so what can I do to mitigate the risk?
Re: I really have to use eval()
Post your code.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: I really have to use eval()
Unless it is a class assignment requiring eval() you probably don't.AlejoR wrote:Hi, I really have to use eval() in my project,
Nothing evaluated can come from anyone but you.AlejoR wrote:so what can I do to mitigate the risk?
(#10850)
Re: I really have to use eval()
Of course, I'd like to find a different way, perhaps you could help me.
I have to allow my administrator users to configure a description of a payment bill like this (for example):
Description: 'Check Number: ' . $document_to_pay . ' to ' . $client['name']
They fill this in a textbox and i save it to the field description_expression of a mysql table.
Later when the payment process is executed I do this:
I have to allow my administrator users to configure a description of a payment bill like this (for example):
Description: 'Check Number: ' . $document_to_pay . ' to ' . $client['name']
They fill this in a textbox and i save it to the field description_expression of a mysql table.
Later when the payment process is executed I do this:
Code: Select all
$document_to_pay='1234';
$client_id='0001';
list($configured_bill_id = mysql_fetch_row(mysql_query("select bill_id from documents_to_pay where document_id = '$document_to_pay'")));
list($description_expression = mysql_fetch_row(mysql_query("select description_expression from payment_bills where bill_id = '$configured_bill_id'")));
$client = mysql_fetch_assoc(mysql_query("select name,address... from clients where client_id = '$client_id'"));
eval('$description = '.$description_expression.';');
echo $description; // Check Number: 1234 to Jhon Connor
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: I really have to use eval()
That is some of the wackiest PHP I have seen in a while. 
I think I would allow them to just enter template tags then do something like this:
I think I would allow them to just enter template tags then do something like this:
Code: Select all
// this string is what admins would enter. It can contain any tags you want to support
$description_template = 'Check Number: {document_to_pay} to {client_name}';
// you can call str_replace() multiple times or pass arrays
echo str_replace(array('{document_to_pay}', '{client_name}'), array($document_to_pay, $client['name']), $description_template);
(#10850)
Re: I really have to use eval()
Thanks, yes, you're right.
And what about, when I have to do calculations.
Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);
I save this in field expression_for_valor.
$datoslab comes from a database;
And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000
Forgive my stupidity.
And what about, when I have to do calculations.
Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);
I save this in field expression_for_valor.
$datoslab comes from a database;
And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000
Forgive my stupidity.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: I really have to use eval()
You do the calculations and replace any tags with values that you want to make available. So you could replace "{valor}" with $v_valor. You make available all values that admins need to display.AlejoR wrote:Thanks, yes, you're right.
And what about, when I have to do calculations.
Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);
I save this in field expression_for_valor.
$datoslab comes from a database;
And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000
Forgive my stupidity.
Also, don't put values in a string and then eval them to use later. Pass them or calculate them as needed.
(#10850)