Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > php > answers

form-input and eval. How to make it safe?

Erwin Moller
Guest
  
Posts: n/a
#1: Jul 17 '05
Hi all,

Situation: I need arbitrary calculations to be done on certain columns in a
table.
The formula's are dynamical.
I will replace certain values in the formulastring with their current values
in the colums.
So I'll end up with a formula like:

(col2*col4)/10 * (cos(col5) / sin(col6))

all the col* will be replaced with the actual values.
Then I want to eval the thing and get the answer to the calculation.


Question:
Everybody on the system with enough rights can create these formula's.
I don't want to start eval things that are naughty.

How should I proceed?
How can I be sure the eval won't touch the filesystem eg??
Or starts opening databaseconnections?
Is it enough to 'forbid' $ and / and ' ??

TIA!!

Regards,
Erwin Moller
Chung Leong
Guest
  
Posts: n/a
#2: Jul 17 '05

re: form-input and eval. How to make it safe?


Uzytkownik "Erwin Moller"
<since_humans_read_this_I_am_spammed_too_much@spam yourself.com> napisal w
wiadomosci news:40583eee$0$565$e4fe514c@news.xs4all.nl...[color=blue]
> Hi all,
>
> Situation: I need arbitrary calculations to be done on certain columns in[/color]
a[color=blue]
> table.
> The formula's are dynamical.
> I will replace certain values in the formulastring with their current[/color]
values[color=blue]
> in the colums.
> So I'll end up with a formula like:
>
> (col2*col4)/10 * (cos(col5) / sin(col6))[/color]

Well, the names of the columns and the functions that can be used form a
closed set, so you can just parse the formulas for tokens and reject those
with tokens outside of this set. This is fairly easy to do using regular
expression. Example:

$columns = array("col1", "col2", "col3");
$functions = array("cos", "sin", "tan");

if(preg_match_all('/\w+/', $formula, $matches)) {
$tokens = $matches[0];
if($diff = array_diff($tokens, $columns, $functions)) {
if(count($diff) != array_filter($diff, is_'numeric')) {
/* invalid syntax! */
}
}
}
lawrence
Guest
  
Posts: n/a
#3: Jul 17 '05

re: form-input and eval. How to make it safe?

Erwin Moller <since_humans_read_this_I_am_spammed_too_much@spam yourself.com> wrote in message news:<40583eee$0$565$e4fe514c@news.xs4all.nl>...[color=blue]
> Hi all,
>
> Situation: I need arbitrary calculations to be done on certain columns in a
> table.
> The formula's are dynamical.
> I will replace certain values in the formulastring with their current values
> in the colums.
> So I'll end up with a formula like:
>
> (col2*col4)/10 * (cos(col5) / sin(col6))
>
> all the col* will be replaced with the actual values.
> Then I want to eval the thing and get the answer to the calculation.
>
>
> Question:
> Everybody on the system with enough rights can create these formula's.
> I don't want to start eval things that are naughty.
>
> How should I proceed?
> How can I be sure the eval won't touch the filesystem eg??
> Or starts opening databaseconnections?
> Is it enough to 'forbid' $ and / and ' ??[/color]


Well, I face a similar problem, and I'm fighting it with lots of regex
to stop the most obvious attacks. Can't suggest more till I see some
sample equations and the form inputs.
Erwin Moller
Guest
  
Posts: n/a
#4: Jul 17 '05

re: form-input and eval. How to make it safe?

Chung Leong wrote:
[color=blue]
>
> Uzytkownik "Erwin Moller"
> <since_humans_read_this_I_am_spammed_too_much@spam yourself.com> napisal w
> wiadomosci news:40583eee$0$565$e4fe514c@news.xs4all.nl...[color=green]
>> Hi all,
>>
>> Situation: I need arbitrary calculations to be done on certain columns in[/color]
> a[color=green]
>> table.
>> The formula's are dynamical.
>> I will replace certain values in the formulastring with their current[/color]
> values[color=green]
>> in the colums.
>> So I'll end up with a formula like:
>>
>> (col2*col4)/10 * (cos(col5) / sin(col6))[/color]
>
> Well, the names of the columns and the functions that can be used form a
> closed set, so you can just parse the formulas for tokens and reject those
> with tokens outside of this set. This is fairly easy to do using regular
> expression. Example:
>
> $columns = array("col1", "col2", "col3");
> $functions = array("cos", "sin", "tan");
>
> if(preg_match_all('/\w+/', $formula, $matches)) {
> $tokens = $matches[0];
> if($diff = array_diff($tokens, $columns, $functions)) {
> if(count($diff) != array_filter($diff, is_'numeric')) {
> /* invalid syntax! */
> }
> }
> }[/color]

Thanks Chung for your reply.

I am still studying on it. :P
Because my regex skills suck big time, this can take a little while.

But I think I'll use your idea of a before-defined set of 'valid functions'.
If I need more I can always easyly expand my set.

Thanks,

Regards,
Erwin Moller
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,295 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved