0

I have created a homepage editor tool in a script I purchased. The function of this homepage editor is to allow me to create different sections and display them one on top of the other in the order they are created. Which in hopes will give me an effect of several blocks that stretch width of the screen.

All seems to work well except one piece. I input my html and php code into the field in the admin panel and it saves to the db as I wrote it. However, when I go to echo each section back to the homepage it just displays my php code as plain text and doesn't interpret it as php and do its function.

Here is code from the homepage.php that prints the results.

<?php

session_start();
require_once("inc/config.inc.php");

    if (isset($_GET['ref']) && is_numeric($_GET['ref']))
{
    $ref_id = (int)$_GET['ref'];
    setReferal($ref_id);

    header("Location: index.php");
    exit();
}
///////////////  Page config  ///////////////
function get_all_section($section_id='')
{
    $sql="SELECT * FROM `cashbackengine_homepage` WHERE 1";
    if($section_id!="")
    {
        $sql.=" AND section_id='".$section_id."'";
    }
    $sql.=" AND section_status=1";
    $sql.=" ORDER BY section_order ASC";
    //echo $sql;
    $res=mysql_query($sql);
    while($row=mysql_fetch_array($res))
    {
        $section_array[]=array(
            'section_id' =>$row['section_id'],
            'section_name' =>$row['section_name'],
            'section_desc' =>$row['section_desc'],
            'section_order' =>$row['section_order'],
            'section_status' =>$row['section_status'],
            'last_updated' =>$row['last_updated'],
        );
    }
    return $section_array;
}

$get_all_section=get_all_section('');
/*$get_all_section2=get_all_section('2');
$get_all_section3=get_all_section('3');
$get_all_section4=get_all_section('4');
$get_all_section5=get_all_section('5');*/

for($i=0; $i<count($get_all_section);$i++)
{
//echo htmlspecialchars_decode($get_all_section[$i]['section_desc']);
    //echo  htmlspecialchars_decode(stripslashes(str_replace("&nbsp;","",(str_replace("<br />","\n",$get_all_section[$i]['section_desc'])))));
        echo $get_all_section[$i]['section_desc'];
}
?>

I am certain the problem has to do with the echo at the end. But I am unsure how to use htmlspecialchars to make it work with php if it even will. Or if I have to put something weird in my saved section.

Here is one of my sections. Any help is greatly appreciated. Thank you.

<div style="height:260px; width:100%; background-color:#000; margin:0px; color:white;">
<div id="header">
    <div id="logo"><a href="<?php echo SITE_URL; ?>"><img src="<?php echo SITE_URL; ?>images/logo.png" alt="<?php echo SITE_TITLE; ?>" title="<?php echo SITE_TITLE; ?>" border="0" /></a></div>
    <div class="start_saving">
    <div id="links">
        <?php if (MULTILINGUAL == 1 && count($languages) > 0) { ?>
            <div id="languages">
            <?php foreach ($languages AS $language_code => $language) { ?>
                <a href="<?php echo SITE_URL; ?>?lang=<?php echo $language; ?>"><img src="<?php echo SITE_URL; ?>images/flags/<?php echo $language_code; ?>.png" alt="<?php echo $language; ?>" border="0" /></a>
            <?php } ?>
            </div>
        <?php } ?>
        <div id="welcome">
        <?php if (isLoggedIn()) { ?>
            <?php echo CBE_WELCOME; ?>, <a href="<?php echo SITE_URL; ?>myprofile.php"><span class="member"><?php echo $_SESSION['FirstName']; ?></span></a><!-- | <a href="<?php echo SITE_URL; ?>myaccount.php"><?php echo CBE_ACCOUNT ?></a>--> | <?php echo CBE_BALANCE; ?>: <span class="mbalance"><?php echo GetUserBalance($_SESSION['userid']); ?></span> | <?php echo CBE_REFERRALS; ?>: <a href="<?php echo SITE_URL; ?>invite.php#referrals"><span class="referrals"><?php echo GetReferralsTotal($_SESSION['userid']); ?></span></a>
        <?php }else{ ?>
            <a class="signup" href="<?php echo SITE_URL; ?>signup.php"><?php echo CBE_SIGNUP; ?></a> <a class="login" href="<?php echo SITE_URL; ?>login.php"><?php echo CBE_LOGIN; ?></a>
        <?php } ?>
        </div>
    </div></div>
</div>

Improve this question
7
  • Do you have PHP installed on the web server? Commented Oct 18, 2014 at 4:23
  • Are your web pages hosted on a apache httpd server with the php5_module installed? Commented Oct 18, 2014 at 4:23
  • Wait, are you saying that homepage.php shows up as plain text, or are you saying that the bits of PHP mixed in with your HTML in your second code sample are showing up as plain text? Commented Oct 18, 2014 at 4:26
  • 2
    If your DB updates yet as you say, it displays the HTML codes instead of parsing PHP, then this tells me that that file doesn't have the .php extension, but .htm or .html Commented Oct 18, 2014 at 4:26
  • @Arif_suhail_123: Yeah, took me a minute to realize which part was displaying PHP as plain text. Sounds like it's not ALL php code, just the stuff from the sections. Commented Oct 18, 2014 at 4:28

1 Answer 1

Reset to default
1

It looks like you're getting these section contents pieces out of your database, and not from a file stored on your web server. Is that correct?

Assuming that's true, then my next question would be, who populates this data? Is this taken in any way from user input? The reason why I ask is because of my next suggestion, which may or may not be received well.

The reason why your PHP code isn't executing, is because it's being retrieved from the database and output as a string, not as code. So how do you execute code that's stored in a string, you ask? Well, the answer to that question is to use eval() on the string. But this is where you have to be really careful!!!!!!! If any part of that string could have possibly come from an untrusted source, then malicious PHP code could be executed, which could potentially give evildoers a way into your server, where they can find all the information in your database, server, etc. Make sure you know where your code is coming from before executing it!

You make a good point that it's HTML mixed with PHP. So I see two possible solutions...

  1. This post suggests that you could do eval(' ?>'. $section .' <?php'); This makes sense, you're breaking out of PHP before you eval your string, and so requiring the included string to open its own PHP tags to write PHP code.
  2. Another way I can think of would be to throw the contents into a temporary file, and then include() that file:
// get contents, store in $contents
$filename = tempnam(sys_get_temp_dir(), 'section');
file_put_contents($filename, $section);
include($filename);
unlink($filename);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Im curious, I have never used eval() before. Im actually relatively new to PHP. How would I write an eval when the code being pulled from the database contains both html and php in it? From what I just read about eval() is it only parses php, so the html will cause an error. :/
My initial thought was this, but it tanked on me :/ echo (htmlspecialchars_decode(eval($get_all_section[$i]['section_desc'])));

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.