Mathematical Function matching

[dwees]

So I have a script which is currently dangerous which takes user input and runs it through some parsing and then uses it in an eval(). 

Basically the script takes input from the user which resemble mathematical functions, converts them to the Php versions of the functions, and displays a graph from these functions.  I've got it all working, but I want to validate the user input so that it can't be used to execute arbitrary script.

I thought about removing all of the 'dangerous' characters from the script.  I've sent it through strip_tags, so that's a start.  I know that the characters the user will be entering are alphanumeric, (, ), *, /, -,^ and !  (I've already had a problem with a + sign - tried urlencode on one end, and urldecode on the other, but didn't work, so I've resorted to converting the + signs from the user to 'plus' and then back again before it's used in the script).

Is there anyway for the user to build a dangerous function from these characters?  And if so, what is it, so I can remove it (eg - preg_replace('if','',$string);  And FINALLY my real regexp question! 

How do I create a regexp to only allow alphanumeric, ( , ) , * , / , - , ^ and ! characters through (no commas required)?

Dave

[Zane]

just do a regex validation on the text input
that only allows
[code]
(, ), ^, *, /, \, +, -, [0-9]
[/code]

EDIT:
didn't realize the question was about regex already..lol

[Zane]

[code=php:0]
if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/code]

[dwees]

[code]
if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/code]

To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)

[code]
if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/code]

Could I also do:

[code]
preg_replace("[^a-z0-9()\*\/\\\^\+-\s]+", "", $textInput);
[/code]

Anyway, with just these characters in a string, is there anything dangerous a user could do?  Also, will this regexp remove linebreaks and spaces from the string automatically?

Thanks.

[Zane]

As long as you don't allow them to create variables make PHP statements
you should have to worry about malicious code.

if you block thing like
{
}
$
=
->

and as long as they don't have access to any global variables like _POST or _GET
there's nothing dangerous that could happen...



[quote]
To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)
Code:

if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/quote]

yeah...you can also set for uppercase too
[^a-zA-Z0-9()\*\/\\\^\+-\s]

[dwees]

So I could strip _ from the string to remove their access to Global variables and then it should be fairly safe eh.

[dwees]

Here's my validation function, will this strip the code enough that it will be safe for an eval ?
I think that the last two replaces [i]should[/i] be handled with the first replacement, but better safe than sorry I guess.

[code]
function validate($input) {
$input = strtolower($input);
$input = preg_replace("/[^a-z0-9()\*\/\\\^\+-\s]+/", "", $input);
$input = preg_replace("/[fd]/","", $input);
// Just in case, strip BAD php commands
$input = preg_replace("/(post|get|request|server|global|cookie|env|files|exec|shell|file|passthru|escapeshellcmd|popen|pcntl_exec)/", "", $input);
$input = preg_replace("/'/","",$input);
$input = preg_replace('/"/','',$input);
return $input;
}
[/code]