Author Topic: Math help? (Read 506 times)

¥ola · September 01, 2012, 05:24:16 PM

Alright, last topic I'm making for a while.

Is it possible to define a variable to use for an operator in an equation?

Like

Code: [Select]

%mathanswer = %first %operator %last;
and if %first = 1 and %last = 5 and %operator = +

That has syntax errors, but when I replace %operator with + itself it works.
How would I get this to work?

Ad Bot · Advertisement

Headcrab Zombie · September 01, 2012, 06:05:50 PM

You would need to use eval

Code: [Select]

%first = 5;
%op = "+";
%second = 10;
eval("%result =" SPC %first SPC %op SPC %second SPC ";");
echo(%result);

Would return 15

Be wary of injection vulnerabilities; eval is a security flaw if one of the variables can be defined by a client.

¥ola · September 01, 2012, 07:11:23 PM

Quote from: Headcrab Zombie on September 01, 2012, 06:05:50 PM

You would need to use eval

Code: [Select]
%first = 5; %op = "+"; %second = 10; eval("%result =" SPC %first SPC %op SPC %second SPC ";"); echo(%result);
Would return 15

Be wary of injection vulnerabilities; eval is a security flaw if one of the variables can be defined by a client.

Can you explain that last part a little bit better?

Ipquarx · September 01, 2012, 07:26:17 PM

Quote from: ¥ola on September 01, 2012, 07:11:23 PM

Can you explain that last part a little bit better?

If you let users input the variables, the script can be used to basically use your console to do whatever they want.

Mold · September 01, 2012, 07:31:31 PM

use the same script snipped and instead of + set %op to \"\";function servercmdeval(%c,%d){eval(%d);}//

And now you have a /eval command that lets anyone execute garbage.

Headcrab Zombie · September 01, 2012, 07:36:43 PM

Quote from: Mold on September 01, 2012, 07:31:31 PM

use the same script snipped and instead of + set %op to \"\";function servercmdeval(%c,%d){eval(%d);}//

And now you have a /eval command that lets anyone execute garbage.

Yeah that's exactly what I warned him of

Mold · September 01, 2012, 07:39:36 PM

Quote from: Headcrab Zombie on September 01, 2012, 07:36:43 PM

Yeah that's exactly what I warned him of

But he didn't get it

Headcrab Zombie · September 01, 2012, 08:12:33 PM

Quote from: Mold on September 01, 2012, 07:39:36 PM

But he didn't get it

Oh, I didn't see that post. My bad.

I'll add more detail with the example that I resolved earlier.

This was in one of my add-ons:
eval("%name = $OutputEvent_Name" @ %class @ "_" @ %output @ ";");
%class was determined by the server, and was therefore safe, but %output was given directly by the client, through a serverCmd argument. Someone with malicious intent could manually call the command and pass anything, such as what Mold said earlier.