PHP calculation using variables

Question

I have 3 variables and a formula that trusted users need to be able to define via a CMS. This formula will change over time and the value of the variables come from a database.

How can I work out the answer to the calculation? I assume eval is relevant but can't quite get it to work

$width = 10;
$height = 10;
$depth = 10;

$volumetric = '(W*H*D)/6000';

$volumetric = str_replace('W', $width, $volumetric);
$volumetric = str_replace('H', $height, $volumetric);
$volumetric = str_replace('D', $depth, $volumetric);

eval($volumetric);

This gives me:

Parse error: parse error in /path/to/vol.php(13) : eval()'d code on line 1

Why you just write $volumetric = ($width * $height * $depth) / 6000. Make it a function and call it everywhere you need. So if it will change, you will just change one function. — Mehmet SÖĞÜNMEZ, Jul 28 '16 at 12:06
Won't work. Non technical users will need to update the formula via a CMS so I need to be able to use variables I have pulled from my database ($width, $height, $depth) and apply this to the current formula — Chris, Jul 28 '16 at 12:07
You need to be very careful when taking users input and using it with `eval`, you ***must*** sanitise the input or you will leave yourself wide open to being hacked. — Styphon, Jul 28 '16 at 12:09
@Styphon definitely. It will be sanitised and also only one or two trusted users are able to modify the formula. — Chris, Jul 28 '16 at 12:12
@AlexanderFuchs no luck - same error - parse error eval()'d code — Chris, Jul 28 '16 at 12:13
Ah, but it does work if I add a ; to the end of the code but within eval ...... eval('$result = '.$volumetric.';'); — Chris, Jul 28 '16 at 12:14
Have you tried this answer from a similar question : http://stackoverflow.com/a/16071456 ? — roberto06, Jul 28 '16 at 12:14
The main issue here like you rightly identified is that you're not assigning the result to a variable and you omitted the semi-colon. However, make sure you sanitize the input. It's not who can modify the formula that matters. It's what I can add as a value that matters. You need to be sure valid numbers are supplied before proceeding to use — Chibueze Opata, Jul 28 '16 at 12:22

score 1 · Accepted Answer · answered Jul 28 '16 at 12:15

You need to be extremely careful with eval as you're giving people access to run commands directly on the server. Make sure to read the documentation thoroughly and understand the risks.

That said, you need to assign the result to a variable. You can tidy up what you're doing too, you only need one str_replace. Try this:

$width = 10;
$height = 10;
$depth = 10;

$volumetric = '(W*H*D)/6000';
$volumetric = str_replace(['W', 'H', 'D'], [$width, $height, $depth], $volumetric);

eval("\$result = $volumetric;");
echo $result;

score 0 · Answer 2 · answered Jul 28 '16 at 12:15

Eval was the correct way to go ... my correct code is:

$width = 60;
$height = 60;
$depth = 60;

$volumetric = '(W*H*D)/6000';

$volumetric = str_replace('W', $width, $volumetric);
$volumetric = str_replace('H', $height, $volumetric);
$volumetric = str_replace('D', $depth, $volumetric);

eval('$result = '.$volumetric.';');

echo $result;

score 0 · Answer 3 · answered Jul 28 '16 at 12:18

Your starting point is true. If you don't want to use or code complex parsers, eval is best choice. But, eval converts given string to PHP code. So, basically what you are trying to that is;

$width = 10;
$height = 10;
$depth = 10;

$volumetric = '(W*H*D)/6000';

$volumetric = str_replace('W', $width, $volumetric);
$volumetric = str_replace('H', $height, $volumetric);
$volumetric = str_replace('D', $depth, $volumetric);

(10*10*10)/600;

So it outputs error. You should assign this equation to variable. Correct way is;

eval('$result = ('.$volumetric.');');

or

eval("\$result = ({$volumetric});")

Also I want to add something. Be careful! while using eval.

PHP calculation using variables

3 Answers3