> -Original Message-
> From: Chris Boget [mailto:[EMAIL PROTECTED]]
> Subject: Re: [PHP] Secure eval();
>
> > Are you sure you have to run it through eval()? It sounds
> like you're
> > creating a query. Couldn't you just create the query
> dynam
> Are you sure you have to run it through eval()? It sounds like you're
> creating a query. Couldn't you just create the query dynamically, then put
> it in a mysql_query() function? (or whatever DB you're using) Then, even if
> they try some kung fu on you, it'll just result in a bad query, not s
bad query, not some
rogue code being executed.
---John Holmes...
- Original Message -
From: "Chris Boget" <[EMAIL PROTECTED]>
To: "1LT John W. Holmes" <[EMAIL PROTECTED]>; "PHP General"
<[EMAIL PROTECTED]>
Sent: Tuesday, May 21, 2002 10:17 AM
S
> You'll have to come up with a regular expression to check for bad
> characters. How complex are the equations? If they are like your example,
> you can just check that the equation doesn't have any letters and is only
> made up of [0-9+*-/()] characters.
It's pretty complex. What I gave was a
al Message -
From: "Chris Boget" <[EMAIL PROTECTED]>
To: "PHP General" <[EMAIL PROTECTED]>
Sent: Tuesday, May 21, 2002 9:47 AM
Subject: [PHP] Secure eval();
> I need to store equations in a DB for later use. For example,
> something like the following might
I need to store equations in a DB for later use. For example,
something like the following might appear in one of the fields:
(( 2 * 3 ) + 7 ) / ( 8 / 4 )
So I want to eval() *only* equations. However, there is nothing
stoping someone from entering in a valid PHP command that
accesses the file
6 matches
Mail list logo