Home/ Questions/Q 8439485
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T08:00:56+00:00

I would like to know if there was a secure way to evaluate mathematics

  • 0

I would like to know if there was a secure way to evaluate mathematics like

2+2
10000+12000
10000-20
2 + 2
40 - 20 + 23 - 12

Without having to use eval() because the input can come from any users. The things I’d need to implement are only additions and subtractions of whole numbers.

Is there any snippets that already exists for that, or any PHP functions I haven’t come across?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would question using eval, considering the variety of mathematic functions available in PHP. You’ve said you only want to do simple math — the only reason to use eval is to perform more complex operations, or to accept the equations whole-cloth from the user.

    If you just want to add or subtract, sanitize the input with intval and go to town:

    $number1 = '100';
$number2 = 'shell_exec(\'rm -rf *\')';
echo intval($number1) + intval($number2); // 100

    Try it: http://codepad.org/LSUDUw1M

    This works because intval ignores anything non-numeric.

    If you are indeed getting the whole equation from user input (ie 100 - 20), you can use preg_replace to remove anything except the allowed operators and numbers:

    $input = '20 + 4; shell_exec(\'rm *\')';
$input = preg_replace(
    '/[^0-9+-]/', 
    '',
    $input
);
eval('$result = '.$input.';');
echo 'result: '.$result; // 24

    Try it: http://codepad.org/tnISDPJ3

    Here, we’re using the regex /[^0-9+-]/, which matches anything NOT 0-9 OR + OR – and replaces it with an empty string.

    If you want to get more in to depth with allowed equations, taken straight from the eval manual page:

    // credit for code to bohwaz (http://www.php.net/manual/en/function.eval.php#107377)
$test = '2+3*pi';

// Remove whitespaces
$test = preg_replace('/\s+/', '', $test);

$number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
$functions = '(?:abs|a?cosh?|a?sinh?|a?tanh?|exp|log10|deg2rad|rad2deg|sqrt|ceil|floor|round)'; // Allowed PHP functions
$operators = '[+\/*^%-]'; // Allowed math operators
$regexp = '/^(('.$number.'|'.$functions.'\s*\((?1)+\)|\((?1)+\))(?:'.$operators.'(?2))?)+$/'; // Final regexp, heavily using recursive patterns

if (preg_match($regexp, $q))
{
    $test = preg_replace('!pi|π!', 'pi()', $test); // Replace pi with pi function
    eval('$result = '.$test.';');
}
else
{
    $result = false;
}

    Documentation

    • 0