0

Warning: very outdated question with an awful idea. Storing code, whether it be PHP, javascript or even HTML is never a good idea. Leaving this here only for documentation purposes

I've got a bit of an awkward problem.

Normally when putting stuff in a database, this will be saved in the way it is. So, if the saved stuff is:

<?php echo "hi!"; ?>

This will just be output as 'hi!' when called.
However, in my case I'm saving plain text into a database. I'm not doing any verifying to check for these codes and I've turned off magic quotes to prevent the stuff from being escaped.

When getting the data from the db and putting it inside a page (ofcourse before the page if fully loaded so the php should be executed) this shows up in the source-code as being a ?php tag and thus invisible (on safari at least) because it is a not-known tag for output.

the data-block consists of a kind of 'Joomla-ish' template-code. HTML-tags, Style(css), Javascript blocks and php could all be in there. Stuff like css, js, etc. works, but server-sided code doesn't.

Any ideas on how to get this to work or why it isn't working? The database is in mySQL and MyISAM as the storage engine. The field I'm saving it in is a longtext. I'm using php5 (which states on the w3c site using magic quotes is not good practice as it will be deleted in the php6 because it poses a lot of security risks apart from solving a few).

I've tried using eval(), but there's one little problem. the eval() function asumes this is php, but oftentimes it won't be. It will mostly be html with some php blocks in it.

Improve this question

4 Answers 4

Reset to default
6

I recommend against storing PHP in the database. The database is for data, not code.

If you need conditionally-run code, put it in .php files and use include() to execute it.

If you need dynamic content, you can put that in the database and then just echo it. No need to use eval().

Don't forget to escape output with htmlentities().

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i was thinking that very thing.
Indeed: Warning team! Extreme danger!. It is very very unusual to be putting PHP template code in the database and unless you have a surprisingly good reason for doing it and are very careful with your string escaping, this is highly likely to end up with a compromised server.
1

You might need to eval() the contents from the database, if I understand your question correctly. See the eval documentation for more details.

If the code is 'user created' you might want to setup a stripped-down PHP execution environment as a sandbox.

Improve this answer

2 Comments

how should I go about this? and would the php exec() command fit into this or is the eval function the only applicable one?
$output = eval($txt_from_db_query); will parse and run the PHP in the database text buffer returning the expanded <?php ... ?> bits
1

you cant just make

echo $phpcode;

you need use eval. BUT be aware. You can have many security issues.

Improve this answer

Comments

1

The eval statement will execute PHP code that you pass in a string. But you need to be very careful about who has access to the data in the DB, since it will be difficult to check the code for safety before it is run.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.