[REBOL] Re: Evaluating a maths expression in a string?
From: al:bri:xtra at: 30-Dec-2000 8:42
Mat wrote:
> I've just realised the fatal flaw with this approach. Since I allow user
input to my evaluation string - there's nothing to stop them typing out
rebol code.
> Security issue to say the least!
>
> I suppose I could filter to make sure there are only characters that fit a
character set of "0123456789+-*/()" - that might do it?
>> str: "1 + 2 print mold 12"
== "1 + 2 print mold 12"
>> context: make object! [print: func [x][system/words/print join "test" x
9]]
>> probe context
make object! [
print: func [x][system/words/print join "test" x 9]
]
>> either not error? try[result: do bind load str in context
'self][result][probe disarm Result]
test12
== 9
Note that 'context can include all the Rebol words you wouldn't want J.
Random Cracker to be able to access, for example, 'rebol, 'system, 'set,
'get, and 'probe.
I hope that helps!
Andrew Martin
ICQ: 26227169 http://members.nbci.com/AndrewMartin/