Skip to content

Get_StrictEval

See Also: Set_StrictEval, String, String Functions, Boolean

Purpose

Returns whether strict rules for string evaluations (strict evaluation mode) apply or not.

Syntax

Get_StrictEval to BooleanVariable

What It Does

The runtime supports a strict evaluation mode when strings are converted to numbers. Without strict evaluation mode, web services with numeric data type parameters could be passed expressions within strings that could be evaluated by the runtime in an uncontrolled fashion. This is done by passing, within the string, a pseudo expression containing an Eval() or other string values. We consider this to be a security risk and implemented strict evaluation mode to address this risk.

Strict evaluation mode changes how the runtime handles string to number conversions. When True, it applies the strict rules for string evaluations; when False, it does not. By default, this setting is False in the runtime. For Web Applications, the default is True.

When in strict evaluation mode, an error is raised when the runtime attempts to evaluate an expression within a string that occurs outside of a code-managed Eval() function. When this happens, an unhandled error 56 is raised, indicating "attempt to run uncompiled expression." Assuming that someone is not trying to hack your Web Application, this is most likely a programming error.

Example Code

Consider the following code:

Define C_MyConstant for 99
Move C_MyConstant to iVar  // this will move 99 to the integer variable as expected
Move "C_MyConstant" to sVar  // this will move "C_MyConstant" to the string variable as expected

What should the following do?

Move "C_MyConstant" to iVar

With strict evaluation mode OFF, this would actually evaluate what is inside of the string and place 99 in iVar. With strict evaluation mode ON, this will raise an error 56. Odds are this was coded by mistake. While this simple behavior is benign, the string may contain complex expressions including Eval() functions that could damage your application. If you control the contents of the string, you have nothing to worry about. If you do not control the string contents, which may be the case with Web Applications, you may have a security hole.

This example can be corrected in two ways:

Move C_MyConstant to iVar  // this will move 99 to the integer variable as expected
Move (Eval("C_MyConstant")) to iVar  // this will perform a code controlled eval on C_MyConstant and move it to the integer

The first example is probably what you wanted.

The second example represents the hard way to do this, but in more complex applications (where the expression within the string is complicated) it may be required.

Note that the Eval() code is actually part of your code. If you are explicitly using Eval(), it is up to you to make sure the expression in the string contains safe code.

Now consider an Eval expression within the string:

Move 'Eval("C_MyConstant")' to iVar  // this will raise an error 56

In this case, Eval() is part of the expression in the string and will not be allowed with strict evaluation mode ON. If you do want to inject an Eval inside of your string, you could do the following:

Move (Eval('Eval("C_MyConstant")')) to iVar

Or you could use the equivalent code, which might be easier to read:

Move 'Eval("C_MyConstant")' to sVar
Move (Eval(sVar)) to iVar

As long as you've explicitly coded an Eval, you can evaluate any expression you want.

Example

Boolean bStrictEval
Get_StrictEval to bStrictEval

If (bStrictEval) Begin
    // do something
End