PHPackages infobipcth/forms-computed-language - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. infobipcth/forms-computed-language ActiveLibrary[Utility & Helpers](/categories/utility) infobipcth/forms-computed-language ================================== A PHP library for safely interpreting user-inputted arbitrary code, specifically designed for supporting logic in forms. 2.8.0(2mo ago)36[2 issues](https://github.com/infobipcth/forms-computed-language/issues)MITPHPPHP ^8.3CI failing Since Dec 14Pushed 2mo ago3 watchersCompare [ Source](https://github.com/infobipcth/forms-computed-language)[ Packagist](https://packagist.org/packages/infobipcth/forms-computed-language)[ RSS](/packages/infobipcth-forms-computed-language/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (10)Versions (24)Used By (0) Forms Computed Language ======================= [](#forms-computed-language) Forms Computed Language (FCL) is an interpreted language designed to be safe to execute when the code is arbitrary user input, while allowing users to manipulate variables, use flow control features and run functions. FCL is based on PHP syntax and relies on @nikic/php-parser to produce an abstract syntax tree, while reimplementing an evaluator for a subset of PHP's tokens in PHP itself. Supported features and tokens ----------------------------- [](#supported-features-and-tokens) - Scalar variables (numeric, boolean and string types) - Arrays and `foreach` loops without references - Fetching constants from PHP - Arithmetic and logical operators (`+, -, /, *, !, &&, ||`) - Assignment operators (`+=, .=` etc.) - Comparision operators (`setVars(['a' => 3.14]); $lr->evaluate(); // ['a' => 3] var_dump($lr->getVars()); ``` Constants and security ---------------------- [](#constants-and-security) **IMPORTANT SECURITY NOTE**: for booleans to work, and so that users can use constants such as `PHP_ROUND_UP` etc., you need to have some sort of access to constants (at least `true` and `false` constants). HOWEVER, if your project contains sensitive information in constants or PHP is exposing sensitive constants, this will prove to be a security risk! To mitigate this, you can provide a list of allowed or disallowed constants to the Language Runner prior to code evaluation. Disallowlist example: ``` $lr = LanguageRunner::getInstance(); $lr->setCode('$a = DB_USER;'); $lr->setVars([]); $lr->setDisallowedConstants(['DB_USER', 'DB_HOST', 'DB_PASSWORD', 'DB_NAME']); // IMPORTANT: IF YOU DO NOT SET CONSTANT BEHAVIOUR ALL CONSTANTS ARE ALLOWED! $lr->setConstantBehaviour('blacklist'); // throws FormsComputedLanguage\Exceptions\UndeclaredVariableUsageException $lr->evaluate(); var_dump($lr->getVars()); ``` Allowlist example - throws an error when a non-allowlisted constant is accessed: ``` $lr = LanguageRunner::getInstance(); $lr->setCode('$a = DB_USER;'); $lr->setVars([]); $lr->setAllowedConstants(['true', 'false']); // IMPORTANT: IF YOU DO NOT SET CONSTANT BEHAVIOUR ALL CONSTANTS ARE ALLOWED! $lr->setConstantBehaviour('whitelist'); // throws FormsComputedLanguage\Exceptions\UndeclaredVariableUsageException $lr->evaluate(); var_dump($lr->getVars()); ``` Misconfiguration example - DO NOT USE!: ``` $lr = LanguageRunner::getInstance(); $lr->setCode('$a = DB_USER;'); $lr->setVars([]); // wrong wrong wrong $lr->setDisallowedConstants(['true', 'false']); // very wrong $lr->setConstantBehaviour('blacklist'); // does not throw $lr->evaluate(); // ['a' => 'root'] var_dump($lr->getVars()); ``` Writing FCL code ---------------- [](#writing-fcl-code) You can write FCL code similarly as you would write PHP. You can use all of the defined tokens, `if` for flow control and call our functions. A notable difference is that FCL does not require an opening tag (no need to write `