expression evaluation without eval()

saloon12yrd

Hi,

I need an algorithm to evaluate a boolean expression (within a string) like this:

$validation = "[VALUE] == 'corporation' || [VALUE] == 'family'";

The marker [VALUE] is filled from user input, the strings are configured statically by the developer.

It would be easy to utilize eval() for this but since part of the expression consists of more or less raw user input that would open the application to cross-site-scripting attacks and the like. So that's out of the question.

So, does anybody have any idea (or fully fletched algorithm)
a) that represents an alternative to eval() but does not end up interpreting PHP or
b) for a short (!) custom-built algorithm?

The necessary functionality is:
- comparison of strings as well as numbers
- all string and numeric comparison operators available in PHP
- related expressions via || and &&
- operator precedence via brackets ()

Right now my algorithm goes like this:
1) find all comparisons via preg_match()
2) evaluate all comparisons by parsing the two values and the operator and performing the comparison by-hand through a switch statement.
3) replace comparisons from 1) with boolean results (true|false) from 2)
4) strip anything that is not within (true|false||||&&|(|)) from the string
5) run the string through eval

(sorry, I'm not allowed to post the implementation)

It works and I believe it to be somewhat safe but there has to be something more elegant.

Thanks in advance,
Dominique

saloon12yrd

I think I found an easier solution:

Now I replace all occurances of [VALUE] with the name of the variable that holds that value.
After that I can evaluate the whole expression without the fuss with the switch statement.

// example:
$validation = "[VALUE] == 'corporation' || [VALUE] == 'family'";

// ...is replaced with something like...
$validation = "$testVars['VALUE'] == 'corporation' || $testVars['VALUE'] == 'family'";

// ...further converted to this...
$validation = 'return (' . $validation . ') ? true : false;';

// ..and evaluated without worry by eval()
$result = eval($validation);

If I didn't miss something there is no way that PHP code will sneak in the actually evaluated string and thus cross-site-scripting attacks won't happen (at least not here).

Did I miss something?
Dominique

rehfeld

well, i would try very very hard to avoid using eval on user input. if someone thinks of something you have not, they will have a lot of power to do whatever they want.

i think you need to post a lot more information if you want help on this. give us more info on what your doing, and some sample user input.

one thing i can think of to avoid using eval when your just checking for equality would be like:


// instead of
$validation = "$testVars['VALUE'] == 'corporation' || $testVars['VALUE'] == 'family'"; 

// put the possible values into an array
$possible_values = array(
     'corporation',
     'family',
);

return (in_array($testVars['VALUE'], $possible_values));

for the other stuff, again, your going to need to give us MUCH more info. i think your current solution using eval could be a dissaster waiting to happen.