thanks, everyone. A sandbox alone is not trustworthy enough.

the problem is intrinsically pretty bad. public internet. And I want one user to make up a question for another anonymous user to answer. (this also means that 'javascript as sandbox' won't work.)

User 1 inputs something like

   $x=round(rand(),1);
   print "If x is $x, then what is x^2?";
[download]

User 2 may see

   if x is 0.5, then what is x^2?
[download]

The '0.5' is obviously computed, based on what user 1 provided. I need to avoid user 1 inputting mischief.

Finally, user 1 receives back what the answer was that user 2 gave and can check whether it was correct. because answers are not algorithms (the way questions are), I can easily sanitize what user 2 provides.

Do I really have to write my own language and parser for this? no one else has?

The little requirement that your project has to be multi-user may have merited mention in your OP.

And as to your associated new question -- writing your own language -- I don't see how an eviscerated Perl can still provide even the functionality you've described. So maybe a new language has potential; maybe you simply need to code up a better sandbox; or maybe you should reconsider the design, aiming for a Q&A thread relying on users' machines for the computations.

Well theoretically any Turing complete language is going to be a problem, as it cannot be proved to be secure.

There's a really interesting presentation about these issues here http://boingboing.net/2011/12/28/linguistics-turing-completene.html It's a keynote speech at the 28th Chaos Computer Congress (28C3) by Meredith Patterson on "The Science of Insecurity". I highly recommend it, it's definitely worth watching.

So I think you have to write your own language, and only including the functionally that is needed, and keeping it as simple as possible. Parse::RecDescent is a good place to start, it makes working with grammars quite easy :)

The key issue is the complexity of the allowed expressions, if you can keep to a context-free grammar the you might get away with it. But my guess is that you will need to have a human in the loop to check and approve each submission before they go live.

ok. thanks everybody.

it looks like this is going to be a lot more effort than I thought it would be. pity and surprising. there should be a complete set of everything that can 'escape' into the sandbox---backquotes, system(), fopen(), etc.---or, better yet, a complete set of features known not to escape. all I wanted is a clear subset with string manipulation, numerical functions, STDOUT, and basic variables, and a set of functions I would enumerate as 'safe'. if that had existed, I could have sanitized the first user input, and then passed it to 'eval'. it may still be simpler to do this than to write my own little language.

next, I will check out SafeEval, as described in http://www.daniweb.com/software-development/perl/code/216821