|
|
Posted by werner on 01/20/06 22:39
Thanks for the input, this topic has had me wrestling with PHP for
quite some time.
Pedro Graca wrote:
> $formula = 'user data';
> if preg_match('/^[-+*/^()\s0-9]+$/', $formula) {
> /* do shell command with properly escaped data */
> } else {
> /* bad entry */
> }
Well, since the user should be able to supply arbitrary variables in
the expression (which will then make the whitelist filtering approach a
bit hard to accomplish, e.g. we'll need to add a "[a-z]+" in there as
well), some innocent-looking "expressions" like 'rm -rf *' might still
slip through.
> I have written something to get you started:
> http://svn.linuxonly.nl/filedetails.php?repname=svn.linuxonly.nl&path...
> It is not complete. It does not check parenthesis and does not give
> precendence to * over + (for example). It converts the expression to
> Reverse Polish notation and than computes it.
Thanks for the help! I agree with the parser suggestion and have also
previously searched for an expression parser, as this would be the best
approach. I just can't *believe* that there isn't one yet, considering
the complexity of classes found in Pear, Pecl and those made for
academic and educational purposes.
I am also looking at maybe porting an existing Java solution, what do
you think? It's just going to take some time, and I sadly don't have
much of that left.
> There is bc under Unix. Although inserting user-supplied data into a
> shell command might be even more dangerous.
That is also an interesting approach, but I do feel that I would like
to keep it a native php solution.
Funny thing, though, that there is no native parser function available,
since PHP is after all an interpreted language. Something like eval()
that could return tokens, instead of the evaluated value would be
*extremely* helpful in this regard. What do you think?
Thanks again, everyone.
Navigation:
[Reply to this message]
|