Hi all, I've got a problem. I'm working on an investing site based on drupal, and was creating a node for case studies/etc of different investing methods. Is there an easy way to store an expression in PHP in a database and run it later? Thanks Tyrithe
I disagree. If it is used with caution and common sense it is extremely handy. As a general rule I use it ONLY inside a function so as to limit the scope of the evaluated variables as much as possible. As an example, I use it as the foundation of a quick template class. function evalTemplate($data, $template){ $template = addslashes($template); foreach ($data as $dataIndex => $dataValue){ $$dataIndex = $dataValue; } eval("\$templated = \"$template\";"); return stripslashes($templated); } PHP: In this example only the variables that are passed will be evaluated. The crux of maintaining security is by initializing the variable container (array type) and populating it with data BEFORE passing it to the function. Bobby
I take it the concern with this function is a PHP equivalent to an SQL injection attack? I think it shouldn't be an issue, since the expression would be in the database. Although I may take a better look and hard code a set of functions into the PHP if there aren't too many. Can someone point me to a document which discusses security concerns for php?
Anytime your application accepts input there is possibility for some type of attack or attempt to compromise. The eval() function if left in the "wild" (in the business logic layer) and on a register globals enabled installation would be a complete security disaster. This is the reason for limiting the scope to a function. eval() + register globals enabled + poor coding practices = HUGE mistake I agree with you since the eval() won't be accepting input other than from the accessor layer and thus very resistent to compromise. As with any input you would use as part of the business logic the code stored in the DB should still be sanitized but maybe not necessarily at paranoid level. Bobby