Jason Norwood-Young wrote:
On Thu, 2008-04-10 at 13:15 +0100, Richard Heyes wrote:
First post to this list! I'm trying to figure out how to evaluate a
string with a mathematical expression and get a result, but without
using eval() as I'm accepting user input into the string. I don't just
want addition, subtraction, multiplication and division - I'd like to
take advantage of other functions like ceil, floor etc.
So the string "18-10" should give me 8, "ceil(1/2)*10" should be 10 (if
my maths is correct) and the string "18-10;\r\nunlink('/var/www/*');"
should not execute.
If you can provide your users with distinct inputs (if it's a form) go
that route.
Thanks Richard
Unfortunately it's not that simple. The equation sits in a DB and can be
anything - eg. ((([valuation]/[purchaseprice])/100)*100)/[numyears]
would be a typical field. [valuation], [purchaseprice] and [numyears]
gets replaced by relevant fields from user-entered data. But the system
is expandable which means I don't know what the equations, data or
fields are going to be beforehand.
I'm working on some kinda preg_replace function to sanitize the data at
the moment and then run an eval - arg I hate regexp! Ideally eval would
have some kind of sandboxing option, or you could limit the functions
available in an eval.
J
you might be able to leverage a call to expr on a bash sell. Just
replace the variables you're expecting with preg_replace or some similar
function.
http://hacktux.com/bashmath
http://sysblogd.wordpress.com/2007/08/26/let-bash-do-the-math-doing-calculations-using-that-bash/
I'm not sure if that's any more secure than eval though.
--
Ray Hauge
www.primateapplications.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
