>In an application I'm working with, users can insert an expression to be used as a formula to evaluate parameter values. I'm relying on VFP's own parser to do this, but there are many issues involved, including stability and security issues.
>
>I'll need to strip down the parsing to only accept a much more confined set of functions, and to prevent access to variables and run-time objects (starting with _VFP and the likes). I know that this can be done and how to do it, but wonder if anybody has done this previously or know of anything that has been already developed and it is available. For instance, if you authorize your users to edit reports, how do you secure the expressions they insert as field values?

This is a pain.

What I think of is

Basic is to take the expression into a try catch for testing.
After that it's a pain. (But better do the pain before the try catch or the harm is done)
Get the expression, resolve it, typically by transforming into (reverse) polish notation, check the operators, limit it to a set of functions. (any function or operator should be an operator after the transformation). Possibly you can optimize by checking each operator against the list the moment you resolve the operator.
The transformation into polish notation is well known to parse an expression There is good documentaion on the web.

If you do this for reports, you have to do this for each and every field that can hold an expression
-fields
-variables
-grouping
-PrintWhen
-dynamics
just to name some