returning the result of a string such as 1+5

[EllaJo]

I want this to echo 6 but I'm getting a string 1+5. Eventually $y will be replaced with other values ('-', '*', '/') based on which button was pressed. I am not having a problem getting the proper equation.

<?php

$x = 1;

$y = "+";

$z = 5;

$arg = $x.$y.$z;

eval('$ohboy = $arg;');

echo $ohboy;

?>

 

I can make it work if I create a switch:

<?

function execute($argA, $argB, $argC) {

    switch ($argB) {

          case '+':

                $result = $argA + $argC;

                break;

          case '-':

                $result = $argA - $argC;

                break;

          case '*':

                $result = $argA * $argC;

                break;

          case '/':

                $result = $argA / $argC;

                break;

    }

return $result;

}

 

$x = 1;

$y = '+';

$z = 5;

 

echo execute($x, $y, $z);

?>

 

The problem is that the switch is kind of clunky. Is there a way to make the code a little neater and still get the result I need?

 

Thanks so much for any help!

[ManiacDan]

The switch is the safest way.  I assume someone is inputting these arguments into your script.  What if, instead of "+" they input "; eval('rm -rf .'); //"?

 

If you must use eval (which is stupid and wrong):

eval('$ohboy = ' . $arg . ';');

-Dan

[EllaJo]

The switch is the safest way.  I assume someone is inputting these arguments into your script.  What if, instead of "+" they input "; eval('rm -rf .'); //"?

 

If you must use eval (which is stupid and wrong):

eval('$ohboy = ' . $arg . ';');

-Dan

 

They are pressing buttons, not really inputing. press 1 and store 1 in variable $x. press + and store '+' in variable $y. press 5 and store 5 in variable $z. press = and print the result of $x.$y.$z.

 

Thanks for your help. the concatenation .$arg. is what I missed.

[ManiacDan]

You think they're pressing buttons, but what they're really doing is sending POST data to your server, which they have full control over.  Based on what you've said, you're completely trusting the user's input.  Don't.  Like I already said, a user CAN send malicious code to your webserver, and you're executing it without sanitizing it.  10 minutes with the URL of this tool and I can compromise your database and delete the files on your server.

 

-Dan

[DavidAM]

The switch is the safest way.  I assume someone is inputting these arguments into your script.  What if, instead of "+" they input "; eval('rm -rf .'); //"?

 

If you must use eval (which is stupid and wrong):

eval('$ohboy = ' . $arg . ';');

-Dan

 

I don't think stupid is the correct word to use here. However, eval() can be dangerous. Especially if you are running it on user supplied values. You really need to sanitize the input. Take a look at is_numeric(), intval(), floatval() for the numbers. Also test the operation string to be sure it is one you support (in_array(), strpos(), etc).  ManiacDan is right in this respect. It is a trivial matter to POST anything I want to any form on the internet, and if the script does not check the inputs, your system could be compromised your system will be compromised.

 

Having said that, the switch method is safer and probably more efficient. It also has the advantage of intrinsically validating the operation (add a default case to return "ERROR" or something). But you still should test the user inputs, regardless of which approach you take.

 

[EllaJo]

Thank you both for the warning. I appreciate the guidance!