How to eval arithmetic calculs?

Question

I have to build an application which calculate some data. I do not know what calculations can be asked by scientists.

For example, User A will want to calculate (A + 5) * 3 User B will want to calculate (A + 14)² * pi

The arithmetics formula are defined by scientists and stored in database by administrator.

The simple way is to do :

<?php

    //Formula is initialized by a query in database
    $formula= '(A + 3) * 5';
    //$ value is an integer entered by UserA and verify by Controller
    $value = 42;

    $arithmetic = str_replace('A', $formula, $value);

    $result = eval($arithmetic);

But Eval is evil as it is explained by @thpl in this answer

I have two options :

1. To do a lot of analyze and tranform each character of formula and create a great Calculation class. (Find the operand on each side of a + and replace + character by a call to addition method etc. etc.
2. Inspect $formula with a good (secured ?) regexp and call the evil eval function.

The first solution seems more secured but very long to develop.

For the second solution, I found this on php documentation :

<?php
    $test = '2+3*pi';

    // Remove whitespaces
    $test = preg_replace('/\s+/', '', $test);

    $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
    $functions = '(?:sinh?|cosh?|tanh?|abs|acosh?|asinh?|atanh?|exp|log10|deg2rad|rad2deg|sqrt|ceil|floor|round)'; // Allowed PHP functions
    $operators = '[+\/*\^%-]'; // Allowed math operators
    $regexp = '/^((' . $number . '|' . $functions . '\s*\((?1)+\)|\((?1)+\))(?:' . $operators . '(?2))?)+$/'; // Final regexp, heavily using recursive patterns

    if (preg_match($regexp, $q)) {
        $test = preg_replace('!pi|π!', 'pi()', $test); // Replace pi with pi function
        eval('$result = ' . $test . ';');
    } else {
        $result = false;
    }

First question : Is the second solution sufficiently safe ?

I searched on the Internet(of course), but the best solution found is the previous code. Is there some php functions, pearl or PECL libraries to help me ? an arithmetic_eval function ?

(I don't ask in Security.SE because my question only concerns php)

Answer 1

The first solution (a custom parser) would I think be very complex and error-prone. The highest risk in that would be bugs that would still allow an attacker to run arbitrary code. Maybe you can get it right, but it's easy to make mistakes.

The second solution (the proposed regular expression based validation) can be good or not, it's hard to tell. It would take a lot of time to analyse the PHP syntax, compare it to the regexes in your question, see what subtle ways there are in PHP to write statements and expressions, etc. While at first sight it doesn't look catastrophic, nobody will be able to say it's secure without lots of analysis. It would be very risky to use it until then.

You may decide to accept the risk of either of these, because you're saying these formulas will be stored by admins. Admins can review whether the formulas are genuine mathematical formulas that don't seem to contain any code. While it's probably not impossible to mask some subtle code execution in stuff that looks like a formula, the risk is much lower if a trusted admin reviews everything before it's actually used and evaluated.

Let me propose something different though. What if you used a sandbox to evaluate expressions? Take a look at this for example. You can easily restrict the functions available to the code to math functions only, and as long as you trust the sandbox, you can rest assured that nothing malicious will run. This would offload the problem to a third party (which you then have to trust, this is an important decision!), and your code would remain very simple yet reasonably secure. There may be other sandboxes too that you may want to explore.