0

if i take and do something like this:


    $p = 10;
    $n = 3;
    $evalstr = "\$f = 0.99 + ((.025 * \$p) * \$n);";
    eval($evalstr);
    echo $f;

I get 1.74 displayed, no errors everything is fine, but when I have a mysql table that holds these equations (for the purpose of this example, it is the exact same equation)...like so:


    $p = 10;
    $n = 3;
    while ($result = mysql_fetch_assoc($results)) {
        $math = $result['math'];
        //at this point $math = "\$f = 0.99 + ((.025 * \$p) * \$n);"
        eval($math);
    }

I get Parse error: syntax error, unexpected T_VARIABLE, expecting T_STRING in ajax\getprices.php(30) : eval()'d code on line 1

Unsure as to why, if i print of echo $math is it identical to what I have as $evalstr in the first example. $p and $n are actually set from GET variables but even if I set them manually as in the example it does not work.

Improve this question
3
  • 3
    Suggestion. Try not to store your PHP in a database. If you have an sql injection vulnerability, someone could totally compromise your entire code base. Not just your database. Commented Oct 18, 2011 at 22:47
  • ideone.com/T20A4 are you sure $math is really what you say it is? Commented Oct 18, 2011 at 22:49
  • Try replacing the eval() with var_dump($math) and tell us exactly what it prints out. Commented Oct 18, 2011 at 22:54

2 Answers 2

Reset to default
1

It seems to me, that you stored the expression including the escaped $ in the database. You might try, if it works, if you first remove the slashes:

eval(stripslashes($math));

I too would recommend to be very careful with storing such code in a database and using eval to execute it. There is potential for security holes here. But i assume, you know this.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

this does work, same answer I came up with, I am removing the slashes manually (only 18 equations) and security is no issue here, thanks
0

I got it, seems when defining the eval code as a variable I have to escape the $ but when pulling it from mysql as a variable it works if i unescape the $

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.