The question in short: how do I make eval() safe?
The background: At questml.com I'm offering a way to create choose-
your-own-adventures in a special XML dialect. There's a several-years-
old Windows-based editor for QML but I'm pondering offering a web
application for this as well. Part of QML are programming constructs
which evaluate states like e.g.
<if check="[has tea] or [did drink tea]">...</if><else>...</else>
These support certain functions, user-defined variables, and maths,
like adding up two values.
A simple way to evaluate these expressions is to first replace the
variables with their values etc. and then use the PHP eval function
(I've written interpreters in ASP/VBS and Python as well, so the issue
is similar there too). Now, as I'm offering QML as open source project
you can run your own QML file on your own server so it's not a big
security issue, though I am going through a forbidden words blacklist
before using the eval. However, if I want to add a web editor to my
site then I'd also need to make it more safe, and blacklists from what
I know are usually not the safest. Is there any better solution, e.g.
should I put the executing PHP in a certain safe mode? 2 3475
Philipp Lenssen wrote:
The question in short: how do I make eval() safe?
The answer in short: Not using eval() at all :-)
The background: At questml.com I'm offering a way to create choose-
your-own-adventures in a special XML dialect. [...]
These support certain functions, user-defined variables, and maths,
like adding up two values.
Then write a compiler or pseudo-compiler. Feeding arbitrary data to eval()
is a no-no.
Parsing every input, and having a big switch-case statement while looping
through the XML tree is an acceptable solution.
The answer is not a simple one, and it will require some thinking on your
part, I'm afraid.
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
The answer is not a simple one, and it will require
some thinking on your part, I'm afraid.
Thanks. Guess I was wishing for some PHP feature to put a given script
portion into a safe mode, e.g. temporarily disable write access,
database access, or file access and so on. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Joe Fallon |
last post by:
I have some complex logic which is fairly simply to build up into a string.
I needed a way to Eval this string and return a Boolean result.
This code works fine to achieve that goal.
My question is what happens to the dynamically created assembly when the
method is done running? Does GC take care of it?
Or is it stuck in RAM until the ASP.Net process is recycled?
This code executes pretty frequently (maybe 4 times per transaction) and...
|
by: Larry |
last post by:
Hi there:
I have seen numerous postings about eval() and its evils on this forum.
However, one of our developers is using it in the following way,
which seems like a great use of it.
Page makes Ajax request to ASP.Net web service. Web service does some
data lookup and builds a string representation of a Javascript array
which is then returned to the client. In the ajax callback, call to
eval on the returned string and voila, ...
|
by: manstey |
last post by:
Hi,
I have a text file called a.txt:
# comments
I read it using this:
|
by: Jm lists |
last post by:
Hello members,
I want to know does the "eval" in python have the same features as in
Perl (capture errors)?
For example,in perl I can wrote:
$re = eval { 1 / 0 };
Though 1/0 is a fatal error but since it's in "eval" block so the perl
|
by: Kevin Blount |
last post by:
I'm putting a radG:GridTemplateColumn together (which is probably
irelevant), and within it I'm using a Label, as so:
<asp:Label ID="defaultDescription" runat="server" Text='<%#
Eval("description") %>'></asp:Label>
Fo this Label, I'd like to only show the first 50 chars of the
"description", but I've no idea how to change the Eval to do this.. is
there a way?
| |
by: Adam C. |
last post by:
Mozilla.org suggests using the with statement to control bindings:
var f = 2;
with({f: 3}){
eval("f"); // evaluates to 3
}
But that doesn't work for binding "this".
|
by: Fett |
last post by:
I am creating a program that requires some data that must be kept up
to date. What I plan is to put this data up on a web-site then have
the program periodically pull the data off the web-site.
My problem is that when I pull the data (currently stored as a
dictionary on the site) off the site, it is a string, I can use eval()
to make that string into a dictionary, and everything is great.
However, this means that I am using eval() on...
|
by: Jean-Paul Calderone |
last post by:
On Thu, 28 Aug 2008 14:51:57 -0700 (PDT), Fett <fettmanchu@gmail.comwrote:
eval and exec are the same. Don't use either with strings from a web page.
Try using a simple format for you data, such as CSV.
Jean-Paul
|
by: Warren DeLano |
last post by:
I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:
# For example, given a "config.txt" such as:
{
'my_atom' : 1.20,
'my_dict' : { 2:50 , 'hi':'mom'},
'my_list' : , 'foo', 0 ]
}
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |