Another possible option that comes to my mind is to shell out to the bc Unix or Linux utility. bc can be used in non-interactive mode in various ways, including piping (echo "42/7" | bc), shell redirections, and Un*x heredocs.

How to make things even worse. I smell shell injection: "Dear script, please evaluate 1 + $(rm -rf /) or 1 + ";rm -rf /;echo " for me." (echo "1 + $(rm -rf /)" | bc resp. echo "1 + ";rm -rf /;echo "" | bc) Shelling out ain't that easy if you want to do it right: The problem of "the" default shell

And even if you shell out safely, the program you feed the input into may have security issues. See Morris_worm for a really old example, or CVE-2012-1165 for a younger one.

Alexander

Yes, you're absolutely right, the type of security problems I mentioned about eval also apply to shelling out, I should have mentioned that explicitly. I actually don't like much the idea of shelling out, my point in that paragraph was only to say that if one decided to shell out, it might be simpler to use bc rather than heavy artillery such as an interpreter, compiler, or VM for Lisp, Lua, or JS.

Thanks for the warning, but as mentioned in the OP, it's not a web app.

That's OK. Injection attacks are equally plausible against non-web apps too. Indeed the very example to which Brother afoken drew your attention did not attack web apps, predating the web as it did. If you are writing scripts of any sort and not using taint mode you will reap what you sow.

Forget attacks protect against stjpix typos that cost you data

Not entirely sure to understand what you really need and why you can't just perform the arithmetic operations with Perl

If other people are going to use it, I don't really want them to have to learn perl syntax. It looks messy and confusing to the uninitiated, with all the sigils, and the nonstandard mechanism for passing arguments to functions. I don't know, maybe it's just my perception, but say you show someone who has some basic coding experience this code:

sub f {$x=shift; return $x*0.1}
[download]

(define (f x) (* x 0.1))
[download]

function f(x) {return x*0.1}
[download]

However, the only JS interpreter that seems to meet my criteria is Rhino, and it seems to have unacceptable performance for my purposes if I try to start up an interpreter once for each operation:

$ time rhino -e 'function f(x) {return x*0.1}; print(f(34))'
3.4000000000000004

real    0m0.240s
user    0m0.292s
sys    0m0.036s
[download]

(Rhino is actually amazingly fast once it starts up -- in my experience it's sometimes faster than perl, and within a factor of 2 or 3 compared to C.)

Another possible option that comes to my mind is to shell out to the bc Unix or Linux utility. bc can be used in non-interactive mode in various ways, including piping (echo "42/7" | bc), shell redirections, and Un*x heredocs.

Nice suggestion, thanks. It's definitely nice in terms of performance and zero-surprises syntax:

time echo "define f(x) {x*0.1}; print f(34)" | bc
3.4
0
real    0m0.002s
user    0m0.000s
sys    0m0.000s
[download]

I think the only problem from my point of view might be that I will probably sometimes need to use data structures, which bc doesn't have. E.g., a common application would be that you want to drop the student's lowest quiz score, so you need to pass the list of quiz scores to the function. (Another issue would be that this would make it linux-only.)