|
|
Posted by Justin Koivisto on 11/19/69 11:47
Erwin Moller wrote:
> Justin Koivisto wrote:
>
>> I just used eval for the first time yesterday....
>>
>> <?php
>> foreach($scoring as $page=>$words){
>> $evalstatemnet=array();
>> foreach($parts as $word){
>> $evalstatemnet[]='isset($words[\''.$word.'\'])';
>> }
>> if(!(eval(join(' && ',$evalstatemnet)))){
>> unset($scoring[$page]);
>> }
>> }
>> ?>
>>
>> Part of a search function where $word would only ever be [a-z0-9_] -
>> Even then, I wasn't sure if I really wanted to use it... A few hours
>> later, it was replaced by something else (different algo). ;)
>
> I do not see how that piece of code makes sure that no naughty commands are
> executed.
> It completely depends on what $scoring contains.
> If you let me deliver that $scoring-array, I think I can delete the content
> of your harddrive.
> But maybe I miss something completely. :-/
See above.. the stuff that was used in the eval statement could only
contain letters a-z (lowercase only), digits 0-9, and the underscore.
Then they were single quoted, so the eval statement would look something
like:
isset($words['testing']) && isset($words['12_435']) &&
isset($words['id_17'])
The $scoring array been constructed in the function, and if there was
found to be any characters other than specified above, the function
would have returned FALSE long before it reached that loop.
--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com
Navigation:
[Reply to this message]
|