I'm a bit stuck and I hope someone who's more familiar with PHP will be able to help me. Basically I am writing a PHP application that lets you plug in products via an XML file. When I say products I mean like a car-hire or insurance type product, where there are forms to fill out and rates to calculate. I opted for an XML structure to make it easy in future to add new or adapt them without any coding knowledge as the underlying class will do all the work. However I'm now trying to rack my brain for the safest and best way to include rates calculations in the XML file structure and evaluate them in PHP, without any risk of being exploited. So for example the xml file structure I will have for the rates calculation area might look something like
<rates>
<rate name="variable1" type="forminput" relative="form['input1']"></rate>
<rate name="variable2" type="forminput" relative="form['input2']"></rate>
<rate name="calculatedvariable1" type="calculation">[variable1] * [variable2]</rate>
</rates>
Ok so this is a pretty basic example but the idea is that my class then reads the name, creates a php variable based on this using an xml parser, with the value given in the form (or wherever the relative is referencing) and then when it finds a calculation type it plugs the correctly named variables (noted by square brackets or whatever) into the calculation and evaluates it. So in this example the output given by parsing the calculation will be :
$variable1 * $variable2
Which then needs to run as a calculation to get the value of calculatedvariable1. Now I know I can use eval() to achieve this but I'm not convinced this is the only option and perhaps I'm missing something else I could be doing either in my xml structure or in the way my php will parse it. Anyhow I hope I've explained it properly and thanks in advance for any ideas.
