On Thu, Feb 16, 2012 at 04:37:18PM -0500, Marc Guay wrote: > > It shouldn't be that hard to parse this type of expressions. > > I appreciate your concern, and will do my best to validate the input, > but there are two things: > > 1) The application will only be used by selected users. > and > 2) The range of possibilities are broader than I indicated. They > would like to be able to enter conditions of all sorts. i.e. > > ($x / $y) > 0.5 > (($a+$b+$c) / $d) < .75 > > etc. > > If you have any suggestions on how to increase the security while > maintaning the flexibility, I'd be happy to hear it. > > Marc You might try making a list of "dirty words" (in this case, not the 4-letter type, but things you wouldn't want the user to be able to do (mail() calls, filesystem type calls, etc.). Another possibility might be to explode the contents of the expression and run a call to function_exists() on it ... but that might be a tad too broad as well. HTH, Kevin Kinsey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
