Hi,
I need another pair of eyes to see if I've overlooked something.
I'm developing a form class for a project. The class can generate the form
and upon submission validate it through a rules system.
Rules are a valid php command which can evaluate as boolean, e.g.:
$form->addRule('strlen({uname})>0', 'You must specify a user name');
or
$form->addRule('{pass1}=={pass2}','The passwords are not identical');
I hope you get the idea.
As you can see, the variable names are enclosed in {} and expanded when the
rule is added.
so
'{pass1}=={pass2}'
is converted to
'$GLOBALS['pass1']==$GLOBALS['pass2']'
When to form is validated I'm running eval() to evaluate the expression. I'm
concerned that there's an exploit somewhere, maybe a user entering some
malicious data (I don't like using eval that often). But I'm not using eval()
directly on user entered data, and I can't see where it is possible.
Any comments ?
Thanks
--
Kriheli Meir
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
