Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

safe to use eval() ?

  • 15-01-2014 10:06am
    #1
    MoogPoo
    Registered Users, Registered Users 2 Posts: 156 ✭✭


    Hi there just thought id look for some advice. Im making a website where you can make posts with equations for example:

    "This is a graph [PLOT]sin(x)[/PLOT] It looks cool and stuff"

    This will create the text and image. At the moment I can draw it and display the page but basically i'm using eval to evaluate sin(x) to work out x,y points. So i'm sure users could do something dodgy like [PLOT]badthings();sin(x)[/PLOT]

    I'm sure there are ways to do this like I could use regexp to find the functions then set them like var f = Math.sin or something but I'm sure this would be very awkward to do with testing for composition of functions and applying operations in the right order and things so I'm hoping I can use eval in a simpler way. Is there a safe way to do this? I'm thinking I'll just use regular expressions to test whats there and not allow certain things. Is this unsecure? How could I best implement this?


Comments

  • #2
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Why don't you map functionality from your website/forum to php code, do this for every function you want to allow.. e.g. [plot]sin(x)[/[plot] actually calls sin(x) in php. If they call a different function, it simply does nothing if you haven't mapped it.

    You might have a nightmare trying to filter everything you send to eval() and you can never be sure it isn't by-passable. So in my opinion I'd avoid eval().


  • #3
    MoogPoo
    Registered Users, Registered Users 2 Posts: 156 ✭✭MoogPoo


    Thanks, I'll probably have to do that. Why php though? Would mapping to javascript functions work as well? I want to use a lot of different functions like trig, pow, floor, exp etc... and they could be used for more complicated functions like
    f(x) = 3*sin(cos^2(x)) + 4*x
    So would mapping them for these types work too or do you mean only allow a set list of simple functions.

    Edit: Ah, Its the javascript eval I'm currently using if that makes a difference.


  • #4
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Oops my mistake, automatically assumed PHP.


    Hmm javascript eval() will only effect the client side. So unless the user is somehow tricked into entering malicious formulas/code, you might be ok ?


  • #5
    MoogPoo
    Registered Users, Registered Users 2 Posts: 156 ✭✭MoogPoo


    Cool well users would make a post that others could see so I'd be worried about XSS or something like that?


Advertisement