Page 1 of 1

I really have to use eval()

Posted: Wed Apr 22, 2009 3:51 pm
by AlejoR
Hi, I really have to use eval() in my project, so what can I do to mitigate the risk?

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 4:11 pm
by Benjamin
Post your code.

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 5:21 pm
by Christopher
AlejoR wrote:Hi, I really have to use eval() in my project,
Unless it is a class assignment requiring eval() you probably don't. ;)
AlejoR wrote:so what can I do to mitigate the risk?
Nothing evaluated can come from anyone but you.

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 6:44 pm
by AlejoR
Of course, I'd like to find a different way, perhaps you could help me.

I have to allow my administrator users to configure a description of a payment bill like this (for example):

Description: 'Check Number: ' . $document_to_pay . ' to ' . $client['name']
They fill this in a textbox and i save it to the field description_expression of a mysql table.

Later when the payment process is executed I do this:

Code: Select all

 
$document_to_pay='1234';
$client_id='0001';
list($configured_bill_id = mysql_fetch_row(mysql_query("select bill_id from documents_to_pay where document_id = '$document_to_pay'")));
list($description_expression = mysql_fetch_row(mysql_query("select description_expression from payment_bills where bill_id = '$configured_bill_id'")));
$client = mysql_fetch_assoc(mysql_query("select name,address... from clients where client_id = '$client_id'"));
eval('$description = '.$description_expression.';');
echo $description;  // Check Number: 1234 to Jhon Connor
 

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 7:29 pm
by Christopher
That is some of the wackiest PHP I have seen in a while. ;)

I think I would allow them to just enter template tags then do something like this:

Code: Select all

// this string is what admins would enter. It can contain any tags you want to support
$description_template = 'Check Number: {document_to_pay} to {client_name}';
// you can call str_replace() multiple times or pass arrays
echo str_replace(array('{document_to_pay}', '{client_name}'), array($document_to_pay, $client['name']), $description_template);
 

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 8:03 pm
by AlejoR
Thanks, yes, you're right.
And what about, when I have to do calculations.

Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);

I save this in field expression_for_valor.

$datoslab comes from a database;

And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000

Forgive my stupidity.

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 8:09 pm
by kaisellgren
8O

...

How about

Code: Select all

$holder = 'description';
$$holder = $description_expression;

Re: I really have to use eval()

Posted: Wed Apr 22, 2009 9:36 pm
by Christopher
AlejoR wrote:Thanks, yes, you're right.
And what about, when I have to do calculations.

Value to calc:
$v_valor = $datoslab['sueldoac'];
$v_cantidad = $datoslab['diastrab'];
$v_sueldo = $v_valor/30*$v_cantidad;
$v_valor = round($v_sueldo,0);

I save this in field expression_for_valor.

$datoslab comes from a database;

And later I'd extract expression_for_valor and I'do
eval($expression_to_calc);
echo $valor; // 1,350,000

Forgive my stupidity.
You do the calculations and replace any tags with values that you want to make available. So you could replace "{valor}" with $v_valor. You make available all values that admins need to display.

Also, don't put values in a string and then eval them to use later. Pass them or calculate them as needed.