3

The issue I am having is as follows: I have a MySQL table that contains details for page content I wish to display on my site. The content for one of my pages however I wanted to contain some actual PHP code to be executed, not just printed as a string. For example:

require_once("Class.php");
Class::Function("Some Text For a Parameter");

I want this code to execute somehow when the sql query is returned but as it stands, it just prints that text out. Is there a way to achieve what I want?

Thankyou in advance for your time,

Regards,

Stephen.

Improve this question
1
  • Did you remember to enclose it in <?php ... ?> tags? Commented Feb 21, 2011 at 23:06

3 Answers 3

Reset to default
6

You can do it with eval(), but you shouldn't.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

they are several ways to achieve the storage of dynamic elements :

  • eval(str) : you can evaluate as php code any string coming from you database. This is not very wise if what is stored in the database comes directly from a user input field. You never know what is going to be inserted and it could potentially be harmful code (harmful to the security of your server)

  • save / include : you could save what comes from your database in a temporary file and include() that file in-place in your php code. This does not seem to be secure either if anyone can store anything in your database

  • use a templating engine that has a reasonnable command footprint like smarty or mustache. you can store the templates in your database and execute them. If you trust the implementation of the templating language (and disable native php calls inside smarty for example) the template will need to have a correct syntax before execution can begin

As a general rule of thumb, it is very hard to protect such dynamic php code inclusion, so it should be considered as bad practice.

You should consider a DSL (domain specific language) for which you will trust the parser/compiler and execution engine.

If security is not a concern (because your application will not be public for example) then it can be perfectly valid and effective to store php fragments in the database.

I hope this will help you

Jerome Wagner

Improve this answer

1 Comment

Hi Jerome, thanks for taking the time to reply! Your suggestions have been quite helpful and provided me with some food for thought on the approach I am taking. As it stands, only I can input any special characters/code into the database just for that table. The idea behind this was to store my pages in the database as opposed to having individual php files with the content. Regards, Stephen.
0

I do a variation of this in my personal CMS by doing a bbcode of sorts. I enclose php to evaluate inside of [code][/code] tags, then when displaying I have a function that uses regular expressions to grab the contents of code inside the [code] tags to run. It in turn builds the code such that it closes the text echo, runs the script, then starts the text echo again. Perhaps the explanation is a bit simplistic, but you get the idea.

I would definitely avoid eval!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.