Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Making eval safe?
- Philipp Lenssen
February 6, 2008, 12:31 pm
rate this thread
The background: At questml.com I'm offering a way to create choose-
your-own-adventures in a special XML dialect. There's a several-years-
old Windows-based editor for QML but I'm pondering offering a web
application for this as well. Part of QML are programming constructs
which evaluate states like e.g.
<if check="[has tea] or [did drink tea]">...</if><else>...</else>
These support certain functions, user-defined variables, and maths,
like adding up two values.
A simple way to evaluate these expressions is to first replace the
variables with their values etc. and then use the PHP eval function
(I've written interpreters in ASP/VBS and Python as well, so the issue
is similar there too). Now, as I'm offering QML as open source project
you can run your own QML file on your own server so it's not a big
security issue, though I am going through a forbidden words blacklist
before using the eval. However, if I want to add a web editor to my
site then I'd also need to make it more safe, and blacklists from what
I know are usually not the safest. Is there any better solution, e.g.
should I put the executing PHP in a certain safe mode?
February 6, 2008, 12:52 pm
Re: Making eval safe?
The answer in short: Not using eval() at all :-)
Then write a compiler or pseudo-compiler. Feeding arbitrary data to eval()
is a no-no.
Parsing every input, and having a big switch-case statement while looping
through the XML tree is an acceptable solution.
The answer is not a simple one, and it will require some thinking on your
part, I'm afraid.
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta