# Solved: PHP Question: Un-string a string?



## Eriksrocks (Aug 7, 2005)

OK, I have a hopefully simple PHP question here. Basically, I'm trying to build an online calculator, where someone could enter something like "5 + 6 + 2" into a form field and out would come the answer 13. I thought it would be simple:


```
<?php

$problem = $_POST['problem']

?>

Results

<?php echo( $problem ); ?>
```
But as it turns out that didn't work. So basically I'm looking for a way to "unstring a string."

I'm not sure if that makes sense, so let me explain. Let's say that you entered "5+5" into the field named "problem," OK? Right now I've got this:

$problem = $_POST['problem']

Which would be equal to this, right?

$problem = "5+5"

I need it to be equal to this, or I need to "unstring" it so that PHP will actually add it up instead of passing it off as a string:

$problem = 5+5

This way someone could enter something like (5 + 5) * (6 / 3) and PHP would recognize it and it would end up like this:

$problem = (5 + 5) * (6 / 3) *OR THIS WOULD WORK:* $problem = ("5" + "5") * ("6" / "3")

Maybe if there was a way to split up the variable, remove the operators (+, -, /, *), and then add them back in???

How could I do this? I really want to avoid multiple form fields if I have to. Will I have to end up with something complicated to split the variable into multiple parts? How can I just remove those quotes?

Thanks for any input. 

Erik


----------



## DrP (Jul 23, 2005)

Couldn't you adjust your form to collect, say 3 variables? Something like:
$first_num = $_POST['first_number']
$operation = $_POST['operation']
$second_num = $_POST['second_number']
then process those?


----------



## Eriksrocks (Aug 7, 2005)

I could, but, like I said, I wanted to avoid multiple form fields (unless there was a way to do that with one field). Is that the only way to go?


----------



## DrP (Jul 23, 2005)

Sorry, I see that. I think you might have to convert the string into an array. Can you use:

str_split(string[, length])

but I can't remember how to do it! I'm sure it'd be quicker to rewrite the form...


----------



## Eriksrocks (Aug 7, 2005)

Rewrite the form with multiple fields, you mean?

About the string split: We're making progress, so now I need to know:

Is there a way to scan for and then remove characters, and is there a way to tell a length of a string?

EDIT: I'm answering my own questions! I can use strlen() to count all of the characters, but could I use this to, say, substitute all spaces with nothing?

I guess I could use strpos to find the first occurrence, remove that somehow, and then run it again until all of them have been removed... What do you think? This is probably going to end up being very complicated if I can get it to work...

Thanks a lot.


----------



## brendandonhu (Jul 8, 2002)

str_replace() replaces all occurences of the search string with the replacement string.
I think eval() might compute a value if you give it a string like "5 + 3" but I'm not sure, I haven't tried it.
If you're trying to clone Google Calculator...good luck.


----------



## Moegopher (Jul 13, 2006)

I only know how to do this in QuickBASIC and VB. Is PHP similar to those two?


----------



## Eriksrocks (Aug 7, 2005)

brendandonhu said:


> I think eval() might compute a value if you give it a string like "5 + 3" but I'm not sure, I haven't tried it.


I think you've hit the nail on the head, but I can't get it to work right now and I'm really tired... I'm going to try tomorrow. But just to make sure I'm not doing something wrong, could you give me the eval() code if I wanted to evaluate a string named *$problem*?

Would it be something like *eval( $problem );*?

Thanks.


----------



## brendandonhu (Jul 8, 2002)

```
<?php
echo eval('return 5+5;');
?>
```


----------



## Eriksrocks (Aug 7, 2005)

Yes! I've gotten it to work!  I tweaked what you gave me a bit, so the final code (for my test page) ended up being:


```
<?php

$problem = "return ";
$problem .= $_POST['problem'];
$problem .= ";";

?>

Results

<?php echo eval($problem); ?>
```
And now it all works. I can enter something like 2 + 7 * 10 and 72 will come out. :up:

brendandonhu, thanks for the code, and thanks for DrP for getting me going! :up:


----------



## Eriksrocks (Aug 7, 2005)

One more question:

I can do some error checking with JavaScript so that no one enters something like a+f, but is there any functionto replace an error with a custom message (like "Your calculation is invalid")?

Thanks. 

*EDIT:* Nevermind, I got it to work. So now the code is:


```
<?php

$problem = "return ";
$problem .= $_POST['problem'];
$problem .= ";";

$result = @eval($problem);

if( $result == null )
{
$result = "Your calculation is invalid. Please try again.";
}

echo $result;
?>
```
The @ sign makes PHP ignore an error if there is one, so $result is then blank, and with the if statement, my message is displayed.

Thanks for all your help. I'm going to mark this solved now.


----------



## brendandonhu (Jul 8, 2002)

Your code will allow anyone to run any PHP code on your server. You need to verify that they have entered only numbers and other allowed symbols before running eval().


----------



## Eriksrocks (Aug 7, 2005)

I've got it in JavaScript on the HTML page (the only characters allowed are + - * / ( ) and numbers), but is there any quick way to do it in PHP?


----------



## brendandonhu (Jul 8, 2002)

Then your user can disable javascript and enter any character they want, executing code on your server. You can use substr() to verify that each character entered is a number or operation.


----------



## Eriksrocks (Aug 7, 2005)

I know. The JS is more to streamline the user experience then provide security. Could you give me an example of how to use substr? I can't seem to figure it out...


----------



## brendandonhu (Jul 8, 2002)

substr('abcdef', 0, 1) returns "a". You would do that in a loop and check that each character is a number or operation. Or you could just write a regular expression that checks the same thing.


----------



## Eriksrocks (Aug 7, 2005)

OK. :up:

It works like it should when I test it (without JS and everything), but I thought you might want to double-check it anyway:


```
<?php

$check = $_POST['problem'];
$length = strlen($check);

for( $i = 0; $i < $length; $i++ )
{
$char = substr($check, $i, 1);

if( is_numeric( $char ) or $char == "+" or $char == "-" or $char == "/" or $char == "*" or $char == "(" or $char == ")" or $char == " " )
{
$security = "yes";
}
}

$problem = "return ";
$problem .= $_POST['problem'];
$problem .= ";";

if( $security == "yes" )
{
$result = @eval($problem);
}

if( $result == null )
{
$result = "Your calculation is invalid. Please try again.";
}

echo $result;
?>
```
Is that secure enough?


----------



## brendandonhu (Jul 8, 2002)

You should probably add a maximum length for $problem to prevent someone from inputting very long input. Other than that, it looks secure as far as I can tell although I'm not entirely sure that it can't be exploited in some way.


----------



## Moegopher (Jul 13, 2006)

Very good work.


----------



## Eriksrocks (Aug 7, 2005)

Actually, it doesn't work (oops!) and now I know why (all they have to do is enter any valid character at the end, which automatically allows it. Take a look at the code and you'll see what I mean.). I have to go, though, so I'll work on it later.


----------



## brendandonhu (Jul 8, 2002)

I see what you mean, shouldn't be too hard to fix the loop.


----------



## Eriksrocks (Aug 7, 2005)

Yup, now it's fixed. I just added an else statement:


```
<?php

$lcheck = "yes";
$security = "no";
$check = $_POST['problem'];
$length = strlen( $check );

if( $length > 35 )
{ 
$lcheck = "no"; 
$result = "Your calculation is too long.";
}

if( $lcheck == "yes" )
{
for( $i = 0; $i < $length; $i++ )
{
$char = substr($check, $i, 1);

if( is_numeric( $char ) or $char == "+" or $char == "-" or $char == "/" or $char == "*" or $char == "(" or $char == ")" or $char == " " )
{
$security = "yes";
}

else { $security = "no"; 
break;
}
}
}

$problem = "return ";
$problem .= $_POST['problem'];
$problem .= ";";

if( $security == "yes" && $lcheck == "yes" )
{
$result = @eval($problem);
}

if( $result == null )
{
$result = "Your calculation is invalid. Please try again.";
}

echo $result;
?>
```
Thanks for your help. :up:


----------

