Home/ Questions/Q 8098463
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T22:05:11+00:00

I’m wondering what sorts of things should be checked when using eval() in PHP

  • 0

I’m wondering what sorts of things should be checked when using eval() in PHP to parse a formula that is entered by a user filling out a form. I’ve seen lots of answers about eval(), but not all of them seem to agree.

Here’s what I’ve gathered:

  • Don’t use eval for strings (this could be a problem, since it is a formula I need to parse)
  • Strip the input coming from the form (I’m not entirely sure what things I need to strip)
  • Eval may or may not be evil, and is a security risk (are there alternatives for parsing an equation in a string?)

What do you folks think I should do?

EDIT: I tried the eval method, and while it does work, the sanitation I used did not support more than two operands. Since I really don’t feel like writing my own (possibly insecure) sanitation regex, I’m just going to find and use a pre-written math class instead. Thanks to everyone for the suggestions!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you must use eval, the eval docs page on it has some code that will allow you to filter mathematical formulas. But as others, and the PHP docs page, have said, it’s not a good idea to use eval unless there is no other alternative.

    <?php

$test = '2+3*pi';

// Remove whitespaces
$test = preg_replace('/\s+/', '', $test);

$number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
$functions = '(?:sinh?|cosh?|tanh?|abs|acosh?|asinh?|atanh?|exp|log10|deg2rad|rad2deg|sqrt|ceil|floor|round)'; // Allowed PHP functions
$operators = '[+\/*\^%-]'; // Allowed math operators
$regexp = '/^(('.$number.'|'.$functions.'\s*\((?1)+\)|\((?1)+\))(?:'.$operators.'(?2))?)+$/'; // Final regexp, heavily using recursive patterns

if (preg_match($regexp, $q))
{
    $test = preg_replace('!pi|π!', 'pi()', $test); // Replace pi with pi function
    eval('$result = '.$test.';');
}
else
{
    $result = false;
}

?>
    • 0