RE: [PHP] Secure eval();

2002-05-21 Thread Scott Hurring
> -Original Message- > From: Chris Boget [mailto:[EMAIL PROTECTED]] > Subject: Re: [PHP] Secure eval(); > > > Are you sure you have to run it through eval()? It sounds > like you're > > creating a query. Couldn't you just create the query > dynam

Re: [PHP] Secure eval();

2002-05-21 Thread Chris Boget
> Are you sure you have to run it through eval()? It sounds like you're > creating a query. Couldn't you just create the query dynamically, then put > it in a mysql_query() function? (or whatever DB you're using) Then, even if > they try some kung fu on you, it'll just result in a bad query, not s

Re: [PHP] Secure eval();

2002-05-21 Thread 1LT John W. Holmes
bad query, not some rogue code being executed. ---John Holmes... - Original Message - From: "Chris Boget" <[EMAIL PROTECTED]> To: "1LT John W. Holmes" <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]> Sent: Tuesday, May 21, 2002 10:17 AM S

Re: [PHP] Secure eval();

2002-05-21 Thread Chris Boget
> You'll have to come up with a regular expression to check for bad > characters. How complex are the equations? If they are like your example, > you can just check that the equation doesn't have any letters and is only > made up of [0-9+*-/()] characters. It's pretty complex. What I gave was a

Re: [PHP] Secure eval();

2002-05-21 Thread 1LT John W. Holmes
You'll have to come up with a regular expression to check for bad characters. How complex are the equations? If they are like your example, you can just check that the equation doesn't have any letters and is only made up of [0-9+*-/()] characters. ---John Holmes... - Original Message -