On Tuesday 17 April 2007 09:20, Hans wrote: > Monday, April 16, 2007, 3:00:34 PM, The wrote: > > 5) As far as Han's concern about using eval in the math function, I'm > > pretty sure the function's pattern matching check on the input value > > will eliminate any possible risk. It is a very nice, concise, and > > functional bit of code--and it's been asked for by several people over > > the last few months. Of course, if someone comes up with a better > > solution, I'd be happy to see it changed. > > I would really like someone else's opinion on this. > > Is the math function safe? > > ~Hans
We are talking about the Cookbook/MarkupExpressionsExtensions recipe right? It depends. It is safe to not break anything existant, neither reveal private information, as it allows the eval'd string to contain only numbers and operators. No PHP function can be executed, no internal variable can be printed. It is not safe because if the expression is not mathematically correct, it will however try to execute it, and this will result in a Fatal Error. Try with {(math '12+(*')} But you can tell your users not to write such incorrect expressions. There is a math eval class, while much more complete and complicated (deals even with internal variables and functions) it is reviewed by a community of php experts and is probably secure: http://www.phpclasses.org/browse/package/2695.html There are also simpler than the class functions in the PHP manual at http://php.net/eval but both of them will die on an incorrect expression. Yeah, evaluating user-input code is a big deal, should be done right or not at all. Petko _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users