Evaluating user-defined conditions

Andrew Beverley andy at andybev.com
Tue Jun 10 07:10:30 BST 2014

On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
> Dear all,
> I'd like to take a condition specified by a user and use it to perform a
> set of tests on a data set. Is there a module to do this?

Thanks for all the replies.

Indeed, I can't trust the user input, but nonetheless I wondered whether
I could still use eval, but heavily sanitise the input. It seems a lot
easier than than using a parser.

Can anyone see anything wrong with the following? The user-supplied
variables are specified in square brackets, e.g. "[age]"

    # Sub in the variable values
    foreach my $var (@variables)
        my $value = ... # Could be a string in quotes
        $code =~ s/\[$var\]/$value/gi;

    # Sanitise
    $_ = $code;
    return unless /^[ \S]+$/;               # Only allow normal spaces
    return if /[\[\]]+/;                    # No brackets should remain
    return if /\\/;                         # No escapes please
    s/"[^"]+"//g;                           # Remove quoted strings
    m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars



More information about the london.pm mailing list