urgent Posted February 22, 2007 Share Posted February 22, 2007 I m facing some problem with the recognition of syntax that I have stored in MySQL phpMyAdmin database. I wanted to create a dynamic website that can fetch the rules that stored in one of the table. But, unfortunately the syntax fetched was recognized as a normal string in the php coding. I really have no idea how to make the php understand it as a condition and not a string. I try to used the Eval() function but the result still the same. Plz help me.. Quote Link to comment Share on other sites More sharing options...
obsidian Posted February 22, 2007 Share Posted February 22, 2007 Why don't you post a little more detail. If you'll show us the code that you've actually got stored in the database and the method you've tried to use to retrieve it, we can go from there to help you come up with a solution. IMHO, eval() is going to be the way to go, but it can be an extremely tricky function to use properly. Quote Link to comment Share on other sites More sharing options...
urgent Posted February 23, 2007 Author Share Posted February 23, 2007 This is the table and the structure of the table involved ID parameter operator value 1 y > 2 Field Type Extra id int(4) Auto_increment parameter varchar(50) operator varchar(1) value varchar(2) This is the coding that i tried <?php $host="localhost"; // Host name $username="1234"; // Mysql username $password="1234"; // Mysql password $db_name="test"; // Database name $tbl_name="testing2"; // Table name // Connect to server and select databse. $connection=@mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); $sql="SELECT * FROM $tbl_name ORDER BY id"; $result = mysql_query($sql,$connection) or die(mysql_error()); while ($row=mysql_fetch_array($result)) { $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; } $y = 0; $parameter == $y; eval('?>'.$y.$operator.$value.'<?php '); echo "hi"; ?> I think there is something not right with the eval coding. thank u. Quote Link to comment Share on other sites More sharing options...
obsidian Posted February 23, 2007 Share Posted February 23, 2007 OK, now I'm really confused. What are you trying to do? It looks like you're just trying to print out the string. If that's the case, you simply need to echo it: <?php echo "$y $operator $value"; ?> Now, if you're actually trying to run the boolean comparison, there are a few things you need to be aware of in eval(): <?php // eval interprets the string, so we need to escape the proper characters: eval("if (\$y $operator \$value) { echo \"hi\"; }"); ?> Can you explain what you're wanting the function to do? Quote Link to comment Share on other sites More sharing options...
monk.e.boy Posted February 23, 2007 Share Posted February 23, 2007 <?php // eval interprets the string, so we need to escape the proper characters: eval("if (\$y $operator \$value) { echo \"hi\"; }"); ?> That's pretty cool, but just full of security holes :-\ This would make it pretty easy for someone to eval() a system() call an own you box What's your IP again? monk.e.boy monk.e.boy Quote Link to comment Share on other sites More sharing options...
obsidian Posted February 23, 2007 Share Posted February 23, 2007 <?php // eval interprets the string, so we need to escape the proper characters: eval("if (\$y $operator \$value) { echo \"hi\"; }"); ?> That's pretty cool, but just full of security holes :-\ This would make it pretty easy for someone to eval() a system() call an own you box What's your IP again? monk.e.boy monk.e.boy It's only a security risk if you are populating the variables from user input. Simply running an eval() function on your site doesn't pose a risk in and of itself. Quote Link to comment Share on other sites More sharing options...
monk.e.boy Posted February 23, 2007 Share Posted February 23, 2007 Well, if the attacker knows this page is on the server, all they need to do is find another hole in one of your sql commands and poof. Goodbye server. It would be so simple to inject some SQL to add evil commands into the table that the eval() gets its data from. Better to get rid of the eval and parse the command string. monk.e.boy Quote Link to comment Share on other sites More sharing options...
urgent Posted February 24, 2007 Author Share Posted February 24, 2007 Thanks for the reply guys. I wanted to use it as a boolean expression. I will try out your coding, obsidian. It seems to me that the solution that you have provided is the thing that I have been searching for. Wish me luck. Quote Link to comment Share on other sites More sharing options...
urgent Posted February 25, 2007 Author Share Posted February 25, 2007 OK, now I'm really confused. What are you trying to do? It looks like you're just trying to print out the string. If that's the case, you simply need to echo it: <?php echo "$y $operator $value"; ?> Now, if you're actually trying to run the boolean comparison, there are a few things you need to be aware of in eval(): <?php // eval interprets the string, so we need to escape the proper characters: eval("if (\$y $operator \$value) { echo \"hi\"; }"); ?> Can you explain what you're wanting the function to do? I have try out the coding. It works! Thanks... ;)I change the coding into something like below to receive input from the user. $y = $_POST['y']; // eval interprets the string, so we need to escape the proper characters: eval("if (\$y $operator \$value) { echo \"hi\"; } else { echo \"bye\"; }"); May I know what is the difference between $y = $_POST['y']; $y = '$_POST[y]' ; The first one interprete the value that I have input correctly whereas, the second one does not. Why? Quote Link to comment Share on other sites More sharing options...
ShogunWarrior Posted February 25, 2007 Share Posted February 25, 2007 Couldn't you do something safe the likes of: <?php function op_test( $operator, $x, $y ) { switch( $operator ) { case '>':{ return (($x>$y)?(true):(false)); } case '<':{ return (($x<$y)?(true):(false)); } case '=':{ return (($x==$y)?(true):(false)); } default:{ return false; } } } //And then use it like this: if( op_test($operator,$x,$y) ) { echo 'hi'; } ?> Quote Link to comment Share on other sites More sharing options...
urgent Posted February 26, 2007 Author Share Posted February 26, 2007 Couldn't you do something safe the likes of: <?php function op_test( $operator, $x, $y ) { switch( $operator ) { case '>':{ return (($x>$y)?(true):(false)); } case '<':{ return (($x<$y)?(true):(false)); } case '=':{ return (($x==$y)?(true):(false)); } default:{ return false; } } } //And then use it like this: if( op_test($operator,$x,$y) ) { echo 'hi'; } ?> $_='ca';${$_{1}}=8;${$_{0}}=chr(ord($_)-1);$_;${${$_{0}}{0}}= ord('l')-100;$c{0}=chr(116>>$b-7);*$_;$a<<=($b%8==0);$_; $c.= chr((2<<2<<($b>>2)<<2>>2)+13).chr(-7+(-$b+2*$a<<1));echo $c ; Huh? I don't really understand? What is this? It looks quite complicated to me. Quote Link to comment Share on other sites More sharing options...
monk.e.boy Posted February 26, 2007 Share Posted February 26, 2007 Couldn't you do something safe the likes of: <?php function op_test( $operator, $x, $y ) { switch( $operator ) { case '>':{ return (($x>$y)?(true):(false)); } case '<':{ return (($x<$y)?(true):(false)); } case '=':{ return (($x==$y)?(true):(false)); } default:{ return false; } } } //And then use it like this: if( op_test($operator,$x,$y) ) { echo 'hi'; } ?> Nice code. This is *much* safer than doing and eval() I would say if you're not sure why it's safer, choose this way of doing stuff monk.e.boy Quote Link to comment Share on other sites More sharing options...
obsidian Posted February 26, 2007 Share Posted February 26, 2007 May I know what is the difference between $y = $_POST['y']; $y = '$_POST[y]' ; The first one interprete the value that I have input correctly whereas, the second one does not. Why? To answer your question, your second code does not work because you have it within single quotes. In PHP, double quotes will interpret variables while single will take the string literally. So: <?php $y = $_POST['y']; // valid $y = "$_POST[y]"; // valid $y = '$_POST[y]'; // invalid ?> Nice code. This is *much* safer than doing and eval() I would say if you're not sure why it's safer, choose this way of doing stuff Again, as I've said before, if you are using eval() appropriately, there is no need for all the fuss. All you have to do is check your user input against a white list of appropriate responses before you run it through eval(). Yes, the function provided by ShogunWarrior is another valid way of handling things, but eval() is a valid option that people should take the time to learn as well. That being said, I will agree that the function posed above is the better option in running this type of comparison to eval. Quote Link to comment Share on other sites More sharing options...
ShogunWarrior Posted February 26, 2007 Share Posted February 26, 2007 $_='ca';${$_{1}}=8;${$_{0}}=chr(ord($_)-1);$_;${${$_{0}}{0}}= ord('l')-100;$c{0}=chr(116>>$b-7);*$_;$a<<=($b%8==0);$_; $c.= chr((2<<2<<($b>>2)<<2>>2)+13).chr(-7+(-$b+2*$a<<1));echo $c ; Huh? I don't really understand? What is this? It looks quite complicated to me. That code is in my signature. It is (I think) pretty well obfuscated (muddle up) code which, when corrected very slightly will output a simple message. Quote Link to comment Share on other sites More sharing options...
sasa Posted February 26, 2007 Share Posted February 26, 2007 try <?php $host="localhost"; // Host name $username="1234"; // Mysql username $password="1234"; // Mysql password $db_name="test"; // Database name $tbl_name="testing2"; // Table name // Connect to server and select databse. $connection=@mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); $sql="SELECT * FROM $tbl_name ORDER BY id"; $result = mysql_query($sql,$connection) or die(mysql_error()); $y = 0; while ($row=mysql_fetch_array($result)) { $id = $row['id']; $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; if (isset($$parameter)){ $out = "\$test = \$$parameter $operator $value;"; eval($out); echo "Test $id "; if ($test) echo "true<br />\n"; else echo "false<br />\n"; } else echo "Variable \$$parameter not exist <br />\n"; } /* $parameter == $y; eval('?>'.$y.$operator.$value.'<?php '); */ echo "hi"; ?> Quote Link to comment Share on other sites More sharing options...
urgent Posted February 27, 2007 Author Share Posted February 27, 2007 $_='ca';${$_{1}}=8;${$_{0}}=chr(ord($_)-1);$_;${${$_{0}}{0}}= ord('l')-100;$c{0}=chr(116>>$b-7);*$_;$a<<=($b%8==0);$_; $c.= chr((2<<2<<($b>>2)<<2>>2)+13).chr(-7+(-$b+2*$a<<1));echo $c ; Huh? I don't really understand? What is this? It looks quite complicated to me. That code is in my signature. It is (I think) pretty well obfuscated (muddle up) code which, when corrected very slightly will output a simple message. Wow..You have a unique signature. try <?php $host="localhost"; // Host name $username="1234"; // Mysql username $password="1234"; // Mysql password $db_name="test"; // Database name $tbl_name="testing2"; // Table name // Connect to server and select databse. $connection=@mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); $sql="SELECT * FROM $tbl_name ORDER BY id"; $result = mysql_query($sql,$connection) or die(mysql_error()); $y = 0; while ($row=mysql_fetch_array($result)) { $id = $row['id']; $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; if (isset([b]$$parameter[/b])){ $out = "\$test = \$$parameter $operator $value;"; [b]eval($out);[/b] echo "Test $id "; if ($test) echo "true<br />\n"; else echo "false<br />\n"; } else echo "Variable \$$parameter not exist <br />\n"; } /* $parameter == $y; eval('?>'.$y.$operator.$value.'<?php '); */ echo "hi"; ?> Why do we need to put $$parameter? I didn't see any initialization of $out that is used in the eval($out)... Quote Link to comment Share on other sites More sharing options...
urgent Posted February 28, 2007 Author Share Posted February 28, 2007 $_='ca';${$_{1}}=8;${$_{0}}=chr(ord($_)-1);$_;${${$_{0}}{0}}= ord('l')-100;$c{0}=chr(116>>$b-7);*$_;$a<<=($b%8==0);$_; $c.= chr((2<<2<<($b>>2)<<2>>2)+13).chr(-7+(-$b+2*$a<<1));echo $c ; Huh? I don't really understand? What is this? It looks quite complicated to me. That code is in my signature. It is (I think) pretty well obfuscated (muddle up) code which, when corrected very slightly will output a simple message. Wow..You have a unique signature. try <?php $host="localhost"; // Host name $username="1234"; // Mysql username $password="1234"; // Mysql password $db_name="test"; // Database name $tbl_name="testing2"; // Table name // Connect to server and select databse. $connection=@mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); $sql="SELECT * FROM $tbl_name ORDER BY id"; $result = mysql_query($sql,$connection) or die(mysql_error()); $y = 0; while ($row=mysql_fetch_array($result)) { $id = $row['id']; $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; if (isset([b]$$parameter[/b])){ $out = "\$test = \$$parameter $operator $value;"; [b]eval($out);[/b] echo "Test $id "; if ($test) echo "true<br />\n"; else echo "false<br />\n"; } else echo "Variable \$$parameter not exist <br />\n"; } /* $parameter == $y; eval('?>'.$y.$operator.$value.'<?php '); */ echo "hi"; ?> Why do we need to put $$parameter? I didn't see any initialization of $out that is used in the eval($out)... To Sasa, sorry about the reply. I didn't notice the initialization of $out at first. I have tried out the coding. But, if I make a small changes the coding didn;t seems to work. This is what I have changed in order to accept input from user. $y = $_POST['y']; while ($row=mysql_fetch_array($result)) { $id = $row['id']; $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; if (isset($$parameter)){ $out = "\$test = \$$parameter $operator $value;"; eval($out); echo "Test $id "; if ($test) echo "true<br />\n"; else echo "false<br />\n"; } else echo "Variable \$$parameter not exist <br />\n"; } I have also tried out the coding by ShogunWarrior. I learned how to use function(). Thanks. Below is the coding that I have come up with the help of obsidian and ShogunWarrior. Thanks guys. Hope to see you guys around next time. By obsidian: <?php $host="localhost"; // Host name $username="1234"; // Mysql username $password="1234"; // Mysql password $db_name="test"; // Database name $tbl_name="testing2"; // Table name // Connect to server and select databse. $connection=@mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); $sql="SELECT * FROM $tbl_name ORDER BY id"; $result = mysql_query($sql,$connection) or die(mysql_error()); while ($row=mysql_fetch_array($result)) { $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; } $parameter = $_POST['parameter']; eval("if (\$parameter $operator \$value) { echo \"hi\"; } else {echo \"bye\";}") ?> By ShogunWarrior: <?php $host="localhost"; // Host name $username="1234"; // Mysql username $password="1234"; // Mysql password $db_name="test"; // Database name $tbl_name="testing2"; // Table name // Connect to server and select databse. $connection=@mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); $sql="SELECT * FROM $tbl_name ORDER BY id"; $result = mysql_query($sql,$connection) or die(mysql_error()); while ($row=mysql_fetch_array($result)) { $parameter = $row['parameter']; $operator = $row['operator']; $value = $row['value']; } $parameter = $_POST['parameter']; function op_test( $operator, $value, $parameter) { switch( $operator ) { case '>':{ return (($parameter>$value)?(true):(false)); } case '<':{ return (($parameter<$value)?(true):(false)); } case '=':{ return (($parameter==$value)?(true):(false)); } default:{ return false; } } } //And then use it like this: if( op_test($operator,$value,$parameter) ) { echo 'hi'; } else { echo 'bye'; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.