form-input and eval. How to make it safe?

Re: form-input and eval. How to make it safe?


Uzytkownik "Erwin Moller"
<since_humans_r ead_this_I_am_s pammed_too_much @spamyourself.c om> napisal w
wiadomosci news:40583eee$0 $565$e4fe514c@n ews.xs4all.nl.. .[color=blue]
> Hi all,
>
> Situation: I need arbitrary calculations to be done on certain columns in[/color]
a[color=blue]
> table.
> The formula's are dynamical.
> I will replace certain values in the formulastring with their current[/color]
values[color=blue]
> in the colums.
> So I'll end up with a formula like:
>
> (col2*col4)/10 * (cos(col5) / sin(col6))[/color]

Well, the names of the columns and the functions that can be used form a
closed set, so you can just parse the formulas for tokens and reject those
with tokens outside of this set. This is fairly easy to do using regular
expression. Example:

$columns = array("col1", "col2", "col3");
$functions = array("cos", "sin", "tan");

if(preg_match_a ll('/\w+/', $formula, $matches)) {
$tokens = $matches[0];
if($diff = array_diff($tok ens, $columns, $functions)) {
if(count($diff) != array_filter($d iff, is_'numeric')) {
/* invalid syntax! */
}
}
}

Re: form-input and eval. How to make it safe?

Erwin Moller <since_humans_r ead_this_I_am_s pammed_too_much @spamyourself.c om> wrote in message news:<40583eee$ 0$565$e4fe514c@ news.xs4all.nl> ...[color=blue]
> Hi all,
>
> Situation: I need arbitrary calculations to be done on certain columns in a
> table.
> The formula's are dynamical.
> I will replace certain values in the formulastring with their current values
> in the colums.
> So I'll end up with a formula like:
>
> (col2*col4)/10 * (cos(col5) / sin(col6))
>
> all the col* will be replaced with the actual values.
> Then I want to eval the thing and get the answer to the calculation.
>
>
> Question:
> Everybody on the system with enough rights can create these formula's.
> I don't want to start eval things that are naughty.
>
> How should I proceed?
> How can I be sure the eval won't touch the filesystem eg??
> Or starts opening databaseconnect ions?
> Is it enough to 'forbid' $ and / and ' ??[/color]


Well, I face a similar problem, and I'm fighting it with lots of regex
to stop the most obvious attacks. Can't suggest more till I see some
sample equations and the form inputs.

Re: form-input and eval. How to make it safe?

Chung Leong wrote:
[color=blue]
>
> Uzytkownik "Erwin Moller"
> <since_humans_r ead_this_I_am_s pammed_too_much @spamyourself.c om> napisal w
> wiadomosci news:40583eee$0 $565$e4fe514c@n ews.xs4all.nl.. .[color=green]
>> Hi all,
>>
>> Situation: I need arbitrary calculations to be done on certain columns in[/color]
> a[color=green]
>> table.
>> The formula's are dynamical.
>> I will replace certain values in the formulastring with their current[/color]
> values[color=green]
>> in the colums.
>> So I'll end up with a formula like:
>>
>> (col2*col4)/10 * (cos(col5) / sin(col6))[/color]
>
> Well, the names of the columns and the functions that can be used form a
> closed set, so you can just parse the formulas for tokens and reject those
> with tokens outside of this set. This is fairly easy to do using regular
> expression. Example:
>
> $columns = array("col1", "col2", "col3");
> $functions = array("cos", "sin", "tan");
>
> if(preg_match_a ll('/\w+/', $formula, $matches)) {
> $tokens = $matches[0];
> if($diff = array_diff($tok ens, $columns, $functions)) {
> if(count($diff) != array_filter($d iff, is_'numeric')) {
> /* invalid syntax! */
> }
> }
> }[/color]

Thanks Chung for your reply.

I am still studying on it. :P
Because my regex skills suck big time, this can take a little while.

But I think I'll use your idea of a before-defined set of 'valid functions'.
If I need more I can always easyly expand my set.

Thanks,

Regards,
Erwin Moller