>>>>The purpose of the process I'm looking for is to limit the access to potentially dangerous objects and functions. So, I think that a simple de-tokenization that can identify authorized functions, and constants in the supported data types, will do. The evaluation will be left to the VFP parser (with proper error handler).
>>>
>>>I have no idea what you you mean with de-tokenization here :(
>>
>>If I'm not mistaken, he's basically saying that once you've parsed the input string into a sequence of tokens, you can perform a lexical analysis by traversing the parse tree to identify the identifier and check them against a list of what you want to allow or prohibit.
>
>Then I do not understand the whole thread. If it's parsed most of the work is done?

The de-tokenization is just to make sure nothing dangerous is used in the expression. For instance, to make sure there is no EXECSCRIPT() :-)

As long as there are no menaces in sight, VFP can EVALUATE() the expression safely and the result fetched.