>>>In an application I'm working with, users can insert an expression to be used as a formula to evaluate parameter values. I'm relying on VFP's own parser to do this, but there are many issues involved, including stability and security issues.
>>>
>>>I'll need to strip down the parsing to only accept a much more confined set of functions, and to prevent access to variables and run-time objects (starting with _VFP and the likes). I know that this can be done and how to do it, but wonder if anybody has done this previously or know of anything that has been already developed and it is available. For instance, if you authorize your users to edit reports, how do you secure the expressions they insert as field values?
>>
>>Just a general idea - you might be able to improve isolation/security if you delegate this task to an out-of-process EXE COM server.
>
>But that would still be potentially harmful to the system and data, wouldn't it?

Yes, but you can do it in addition to any other pre-checking you plan to do. If I understand your original post, this should help prevent access to "variables and run-time objects".