0

I wish to store certain pieces of code in database tables as templates but I am unsure as to whether they are going to create problems or not. I keep reading mixed messages from various different people in different posts and I am just not happy that I am clear on this subject.

I have already worked out that you cannot really echo/ print PHP into a webpage. Obviously you can echo strings of HTML but it becomes awkward when you try to do it with PHP code. The only way I have managed to do this is through eval which is apparently bad in most cases... so I am using another method to implement the templates (i.e. writing a php file to be used as an include file)

The main question I am asking is: is there really a problem with storing the PHP code strings (which include SQL statements) inside text type fields (mediumtext, longtext etc) in tables? Could those SQL statements ever do anything like execute actual actions or would they just remain as text strings?

Just to clarify, the reason I am storing strings of code is because they are templates to be used should the web administrator wish to allocate them to a specific area (div) of the pages.

Improve this question
5
  • 1
    Why not just store the templates as files on the filesystem, why store them in the db? Commented Feb 1, 2013 at 18:59
  • The issue has nothing to do with whether it is technically possible (which it trivially is with eval), and everything to do with security and maintenance. Commented Feb 1, 2013 at 19:00
  • I can't think of any good reasons to store code in the database. If you have to do something like this, I would store the templates as files. But I hope you're not writing your own CMS. That, again, is something that is usually not a good idea. And if you are writing your own CMS, I hope you're building it on top of a (non-custom) MVC framework. And there are templating engines out there, too. If you're trying to write a custom templating system, I think you might be trying to solve the problem at the wrong level. Commented Feb 1, 2013 at 19:04
  • Mr-sk - I was originally thinking of just storing them like that but I just thought that it would be more handy if I could deal with them in the form of a table. Tables are great for indexing and sorting through data. I know it is code... but when it is a template it is essentially data in a manner of speaking. Commented Feb 1, 2013 at 19:05
  • Jason - it is a CMS I am doing but it is a university project. I know that people would generally use an already made CMS like Joomla or WP but the idea was to build something from the ground up to gain some good experience. I should maybe do some more research or reverse engineer WP or Joomla but I am trying to attack the problem in a "fresh" manner. In other words it is about seeing if I can create it all without copying other peoples coding. Commented Feb 1, 2013 at 19:14

3 Answers 3

Reset to default
5

Use SMARTY or Twig template engine. This will neatly solve your problem and you will not need to store anything in the database. It will also keep your PHP code completely separate from your HTML.

Another option is to use

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hey Nathan this looks like it could be really useful and is probably what I was looking for. Thank you for the link.
No worries, its very flexible. Don't know what I would do without it.
0

I can see the need for code in the database for instance if you have multiple sites and want to do a source control between them, and not use any 3rd party software.. I would store in a database and then write the code on to a actual physical page, then run the php from that page...

Improve this answer

6 Comments

FYI, there is a dedicated database for the version control, called git
.......and not use any 3rd party software
How is a database not a "third party software?
ok, maybe it is a bit confusing. Let's say you are in a nuclear launch facility, and you will go to extreme length to make sure you application is basically unhackable. You can isolate you server, you database, your code, run your javacript locally instead o linking to it. If you use something like git, (very secure, but not somewhere you are going to store the launch codes for nuclear bomb) you have no control over the security off it.
You've got a very good imagination, my friend
|
-3

Do not do this. If your database is ever compromised and someone injects malicious PHP, it may be executed. You should store the templates as files and call them when needed.

And you actually can echo/print PHP. You would do it using eval.

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

Improve this answer

6 Comments

If your db is pwned you got problems, code execution on many levels ... I wouldn't let this possibility deter the OPs solution. Not saying the OP is a good idea, but ...
Agree with @Mr-sk. This answer does not explain why storing code in the filesystem is any more secure than storing it in the db: if code gets modified in either situation, then it will be undesirably executed.
@eggyal Aside from mentioning injection, could you add those reasons for storing it on the filesystem?
njk - I actually mentioned that I worked out how to do the eval thing. Anyway, with regards to the storing of code, I was worried that this may be the case so thank you for the clarification.
Not entirely sure what question you're asking me... but (if not careful) one could store user-injected code on the filesystem and then invoke it... the use of an RDBMS here is pretty irrelevant.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.