473,322 Members | 1,496 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

form-input and eval. How to make it safe?

Hi all,

Situation: I need arbitrary calculations to be done on certain columns in a
table.
The formula's are dynamical.
I will replace certain values in the formulastring with their current values
in the colums.
So I'll end up with a formula like:

(col2*col4)/10 * (cos(col5) / sin(col6))

all the col* will be replaced with the actual values.
Then I want to eval the thing and get the answer to the calculation.
Question:
Everybody on the system with enough rights can create these formula's.
I don't want to start eval things that are naughty.

How should I proceed?
How can I be sure the eval won't touch the filesystem eg??
Or starts opening databaseconnections?
Is it enough to 'forbid' $ and / and ' ??

TIA!!

Regards,
Erwin Moller

Jul 17 '05 #1
3 2140

Uzytkownik "Erwin Moller"
<si******************************************@spam yourself.com> napisal w
wiadomosci news:40*********************@news.xs4all.nl...
Hi all,

Situation: I need arbitrary calculations to be done on certain columns in a table.
The formula's are dynamical.
I will replace certain values in the formulastring with their current values in the colums.
So I'll end up with a formula like:

(col2*col4)/10 * (cos(col5) / sin(col6))


Well, the names of the columns and the functions that can be used form a
closed set, so you can just parse the formulas for tokens and reject those
with tokens outside of this set. This is fairly easy to do using regular
expression. Example:

$columns = array("col1", "col2", "col3");
$functions = array("cos", "sin", "tan");

if(preg_match_all('/\w+/', $formula, $matches)) {
$tokens = $matches[0];
if($diff = array_diff($tokens, $columns, $functions)) {
if(count($diff) != array_filter($diff, is_'numeric')) {
/* invalid syntax! */
}
}
}
Jul 17 '05 #2
Erwin Moller <si******************************************@spam yourself.com> wrote in message news:<40*********************@news.xs4all.nl>...
Hi all,

Situation: I need arbitrary calculations to be done on certain columns in a
table.
The formula's are dynamical.
I will replace certain values in the formulastring with their current values
in the colums.
So I'll end up with a formula like:

(col2*col4)/10 * (cos(col5) / sin(col6))

all the col* will be replaced with the actual values.
Then I want to eval the thing and get the answer to the calculation.
Question:
Everybody on the system with enough rights can create these formula's.
I don't want to start eval things that are naughty.

How should I proceed?
How can I be sure the eval won't touch the filesystem eg??
Or starts opening databaseconnections?
Is it enough to 'forbid' $ and / and ' ??

Well, I face a similar problem, and I'm fighting it with lots of regex
to stop the most obvious attacks. Can't suggest more till I see some
sample equations and the form inputs.
Jul 17 '05 #3
Chung Leong wrote:

Uzytkownik "Erwin Moller"
<si******************************************@spam yourself.com> napisal w
wiadomosci news:40*********************@news.xs4all.nl...
Hi all,

Situation: I need arbitrary calculations to be done on certain columns in

a
table.
The formula's are dynamical.
I will replace certain values in the formulastring with their current

values
in the colums.
So I'll end up with a formula like:

(col2*col4)/10 * (cos(col5) / sin(col6))


Well, the names of the columns and the functions that can be used form a
closed set, so you can just parse the formulas for tokens and reject those
with tokens outside of this set. This is fairly easy to do using regular
expression. Example:

$columns = array("col1", "col2", "col3");
$functions = array("cos", "sin", "tan");

if(preg_match_all('/\w+/', $formula, $matches)) {
$tokens = $matches[0];
if($diff = array_diff($tokens, $columns, $functions)) {
if(count($diff) != array_filter($diff, is_'numeric')) {
/* invalid syntax! */
}
}
}


Thanks Chung for your reply.

I am still studying on it. :P
Because my regex skills suck big time, this can take a little while.

But I think I'll use your idea of a before-defined set of 'valid functions'.
If I need more I can always easyly expand my set.

Thanks,

Regards,
Erwin Moller
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Targa | last post by:
Trying to total some price fields in a form but doesnt work when all the referenced form fields dont exisit. This is for an invoice - pulled prom a database and the form doesnt always contain the...
25
by: Lyn | last post by:
Hi, I am working on a genealogy form. The only table (so far) lists everybody in the family, one record per person. Each record has an autonum ID. The parent form (frmMainForm) displays the...
19
by: Raposa Velha | last post by:
Hello to all! Does any of you want to comment the approach I implement for instantiating a form? A description and an example follow. Cheers, RV jmclopesAThotmail.com replace the AT with the...
11
by: Jozef | last post by:
I have some old code that I use from the Access 95 Developers handbook. The code works very well, with the exception that it doesn't seem to recognize wide screens, and sizes tab controls so that...
5
by: RAJ | last post by:
hi plz tell me how to know "how window is going to close"... i have to right code for X button of forms... plz telll me thanks bye
5
by: ortaias | last post by:
I have a form which calls up a second form for purposes of data entry. When closing the data entry form and returning to the main form, things don't work as expected. When I return to the main...
5
by: Miro | last post by:
I will try my best to ask this question correctly. I think in the end the code will make more sence of what I am trying to accomplish. I am just not sure of what to search for on the net. I...
6
NeoPa
by: NeoPa | last post by:
Introduction The first thing to understand about Sub-Forms is that, to add a form onto another form takes a special Subform control. This Subform control acts as a container for the form that you...
8
by: hoofbeats95 | last post by:
I don't think this should be this complicated, but I can't figure it out. I've worked with C# for several years now, but in a web environment, not with windows form. I have a form with a query...
5
by: Neil | last post by:
"lyle" <lyle.fairfield@gmail.comwrote in message news:48c3dde7-07bd-48b8-91c3-e157b703f92b@f3g2000hsg.googlegroups.com... Question for you. I'm doing something similar, only, instead of opening...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.