Making eval safe?

The question in short: how do I make eval() safe?

The background: At questml.com I'm offering a way to create choose-
your-own-adventures in a special XML dialect. There's a several-years-
old Windows-based editor for QML but I'm pondering offering a web
application for this as well. Part of QML are programming constructs
which evaluate states like e.g.
<if check="[has tea] or [did drink tea]">...</if><else>...</else>
These support certain functions, user-defined variables, and maths,
like adding up two values.

A simple way to evaluate these expressions is to first replace the
variables with their values etc. and then use the PHP eval function
(I've written interpreters in ASP/VBS and Python as well, so the issue
is similar there too). Now, as I'm offering QML as open source project
you can run your own QML file on your own server so it's not a big
security issue, though I am going through a forbidden words blacklist
before using the eval. However, if I want to add a web editor to my
site then I'd also need to make it more safe, and blacklists from what
I know are usually not the safest. Is there any better solution, e.g.
should I put the executing PHP in a certain safe mode?

Philipp Lenssen wrote:

> The question in short: how do I make eval() safe?

The answer in short: Not using eval() at all :-)

> The background: At questml.com I'm offering a way to create choose-
> your-own-adventures in a special XML dialect. [...]
> These support certain functions, user-defined variables, and maths,
> like adding up two values.

Then write a compiler or pseudo-compiler. Feeding arbitrary data to eval()
is a no-no.

Parsing every input, and having a big switch-case statement while looping
through the XML tree is an acceptable solution.

The answer is not a simple one, and it will require some thinking on your
part, I'm afraid.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.

> The answer is not a simple one, and it will require
> some thinking on your part, I'm afraid.

Thanks. Guess I was wishing for some PHP feature to put a given script
portion into a safe mode, e.g. temporarily disable write access,
database access, or file access and so on.