Are you sure you have to run it through eval()? It sounds like you're creating a query. Couldn't you just create the query dynamically, then put it in a mysql_query() function? (or whatever DB you're using) Then, even if they try some kung fu on you, it'll just result in a bad query, not some rogue code being executed.
---John Holmes... ----- Original Message ----- From: "Chris Boget" <[EMAIL PROTECTED]> To: "1LT John W. Holmes" <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]> Sent: Tuesday, May 21, 2002 10:17 AM Subject: Re: [PHP] Secure eval(); > > You'll have to come up with a regular expression to check for bad > > characters. How complex are the equations? If they are like your example, > > you can just check that the equation doesn't have any letters and is only > > made up of [0-9+*-/()] characters. > > It's pretty complex. What I gave was a very simplistic example. The numbers > are actually going to be table.fieldnames and the values in those fields are going > to be referenced to get the actual number used in the equation. However, once > I interpolate the fieldnames to numbers I guess I could run the equation against > some sort of regex to make sure that it's valid. > hmmm.... Might be easier than I thought. > > Thanks for the input! > > Chris > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
