Skippy wrote:
I'm confronted with a somewhat weird problem and hopefully someone can make a
suggestion. I have to perform the following 3-step task:
Step 1. Someone provides a string (let's call it the formatting string) which
contains a PHP expression, which will apply a PHP function on another string,
let's call this one the random string. I don't control either the formatting
nor the random string.
Example of formatting string: "trim('%val%')"
Step 2. As you may have guessed, I have to insert the random string in the
formatting string before I can eval() the latter. So I need to replace %val%
with the random string. But I have to be careful, since the random string may
itself contain either double or single quotes, which will break the eval()
later. So I also need an addslashes().
Operations performed:
$for_eval=str_replace('%val%',addslashes($random),$format);
$for_eval='$final_result='.$for_eval.';';
eval($for_eval);
Step 3. After the above, I should have the formatted string in $final_result.
***
So now for the problem: addslashes() indiscriminately escapes with backslashes
both single and double quotes. Strings variables can be specified with either
single or double quotes; each of the cases, in turn, will not un-escape the
other type of quote. For example, a string enclosed in double quotes will not
un-escape \' and a string enclosed in single quotes will not un-escape \".
But my addslashes() escaped both types of quotes. And the formatting string
(see step 1) will necessarily have enclosed the string to be (%val%) in only
one of the two types of quotes. So, after all steps are performed, I may very
well be left with either single or double quotes still escaped, depending on
the type of quotes which were used in the formatting string.
I was under the impression that double quote strings will be interpreted as to
unescape single quotes too. However, the manual says they don't do that; they
unescape some common print sequences (such as tab or newline), double quotes
(of course), backslash itself, and octal or hexa expressions. NOT single quotes.
If only I could be sure of the type of quotes which were used in the
formatting string, I could only escape those by hand. But I can't be sure.
Also, I can't forcefully strip slashes from the final result, because I don't
know which sequences that look like escapes are really escapes or are just
legitimate pieces of string.
If only double quote strings would un-escape both types of quotes; they don't,
so their un-escape action is not a 100% reversion of the addslashes() effect.
Any ideas?
Can you use this?
[code]
<?php
// Formatting string from outside - apply a function on a random value
$format_string = 'trim();';
// Random value from outside - may contain quotes /-:
// Leading and trailing spaces for trim() included
$rand_string = <<<eod
My name is "Bla", I want to do some 'foo'.
eod;
// Before and after - remember string's original length
$strlen_start = strlen($rand_string);
// Replacing all single-quotes with double-quotes
$rand_string = str_replace("'", '"', $rand_string);
// Combine format string with random string
$for_eval = sprintf(
'%s"%s");',
substr($format_string, 0, -2),
addslashes($rand_string)
);
// Save return value of format-random-combo in $final
$for_eval = sprintf('$final = %s', $for_eval);
// Dump and eval
printf('<tt>%s</tt>', $for_eval);
eval($for_eval);
// Before and after - remember string's new length
$strlen_end = strlen($final);
// Results:
printf(
'<br><tt>before: %d, after: %d</tt>',
$strlen_start, $strlen_end
);
?>
[/code]
Daniel
--
WWE e-commerce IT GmbH
Eiffestrasse 462, D-20537 Hamburg
Tel.: +49-40-2530659-0, Fax: +49-40-2530659-50
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
