On Thu, 2008-04-10 at 13:15 +0100, Richard Heyes wrote:
> > First post to this list! I'm trying to figure out how to evaluate a
> > string with a mathematical expression and get a result, but without
> > using eval() as I'm accepting user input into the string. I don't just
> > want addition, subtraction, multiplication and division - I'd like to
> > take advantage of other functions like ceil, floor etc.
> >
> > So the string "18-10" should give me 8, "ceil(1/2)*10" should be 10 (if
> > my maths is correct) and the string "18-10;\r\nunlink('/var/www/*');"
> > should not execute.
>
> If you can provide your users with distinct inputs (if it's a form) go
> that route.
Thanks Richard
Unfortunately it's not that simple. The equation sits in a DB and can be
anything - eg. ((([valuation]/[purchaseprice])/100)*100)/[numyears]
would be a typical field. [valuation], [purchaseprice] and [numyears]
gets replaced by relevant fields from user-entered data. But the system
is expandable which means I don't know what the equations, data or
fields are going to be beforehand.
I'm working on some kinda preg_replace function to sanitize the data at
the moment and then run an eval - arg I hate regexp! Ideally eval would
have some kind of sandboxing option, or you could limit the functions
available in an eval.
J
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
