#1
  1. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Posts
    698
    Rep Power
    95

    Understanding eval()


    I am trying to understand eval()
    PHP Code:
    $x '11+33'
    print eval(
    $x); 
    It eval() evaluates the string as php code why don't I get 44 as my output?
    Obviously I don't understand eval();
    HELP!
    Evan
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    Think of eval() like a function call.
    PHP Code:
    function x() {
        
    11+33;

    Naturally,
    PHP Code:
    print x(); 
    won't print anything...


    But in case you were considering it, DON'T USE EVAL. There are virtually no good uses for it, and no good excuses for putting it in code. It's great to know about it but leave it at that.
  4. #3
  5. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Posts
    698
    Rep Power
    95
    I read about it but I need to evaluate a simple formula that the user will input. How would I do that without eval()? The formula is in a variable and I thought eval() will do it.
    Evan
  6. #4
  7. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    Okay, that is one possible use for eval(). But validate the expression to hell and back before you try executing it. Regular expressions or string parsers are the two best options for that.
  8. #5
  9. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    To evaluate a very simple formula (2 values and an operator), put all 3 in separate inputs and switch on the operator.

    What if, instead of a number like you expected, I input:
    Code:
    2+3;phpinfo();
    You'd run that through eval and you'd get 5...and I'd get the entire dump of your PHP.ini, including local passwords, filesystem paths, OS information, version information, patches, extensions...you may as well hand me the keys to your rack (assuming your racks are locked like they should be).
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    you shouldn't even try to "validate" the string by fumbling with regexes. There's a gigantic chance of f*cking that up, and if you do, you're screwed as ManiacDan already explained.

    The rule "eval() is evil" exists for a reason. 99% of the time, using eval() is a really, really bad idea. Either it's a gigantic security hole, or it's a symptom of terrible programming.

    In your case, the appropriate solution would be to use a seperate interpreter for those expressions. The interpreter can be a simple PHP program, or it can be an external tool you call from your PHP script.

    And surprise, surprise: Somebody already thought about a math parser:
    https://gist.github.com/ircmaxell/1232629
    (it's just the first result I found, so there could be much better implementations)
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    22
    Rep Power
    0
    Originally Posted by ManiacDan
    To evaluate a very simple formula (2 values and an operator), put all 3 in separate inputs and switch on the operator.
    If you're input really will be as simple, or close to it, as your example, here is one possible expansion on ManiacDan:
    Code:
    strip white space
    loop while input is not empty
      use regex to find the first digit, maybe something like (\d+) and push it to an fifo array
      push the next char onto the array
    pop off the first value from the array, store as $total
    loop while array is not empty
      pop off the current operator
      pop off the next value as $cur
      $total=$total (operator) $cur
    Of course this would break on anything with more than basic operators. But it should be safe with the obligatory input sanitization.
  14. #8
  15. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Posts
    698
    Rep Power
    95
    Got it.

    Stay away from it.
    Evan

IMN logo majestic logo threadwatch logo seochat tools logo