1

Database Table company_info

-----------------------------
| companyname | companytype |
-----------------------------
| Company One | Blah        |
-----------------------------
| Company Two | Blah2       |
-----------------------------

Database Table invoice_template

-----------------------------
| Header      | bgcolor     |
-----------------------------
| $company    | Red         |
-----------------------------
| $company    | Biege       |
-----------------------------

PHP file common_include.php

$company = ... //FROM db table company_info field companyname

PHP file invoice.php

include('common_include.php');
$header = ... //FROM db table invoice_template field header
echo "Header is ". $header;
echo "<br/>Company is ". $company; //$company is defined in common_include.php

OUTPUT of invoice.php when company logged in is for eg.Company One

Header is $company
Company is Company One

Question: How do I get the $company in the output to be shown as Company one? i.e How do I get the output from MySQL DB to be treated as a variable?

Improve this question
2
  • 1
    What's the deal with the line $header = FROM db... because that should be invalid PHP... Commented Sep 21, 2010 at 9:38
  • @DisgruntledGoat . $header = FROM db .. is not valid php, it just means I am pulling data from db. Commented Sep 21, 2010 at 10:52

3 Answers 3

Reset to default
2

The solution would be eval("echo $header"), although you should NEVER EVER want to resort to such solutions. You should -in my opinion- move all company related data into the database.

Update You shouldn't put $company in your database. Relational databases should be relational. That means, primary keys and foreign keys. Data should then be looked up by it's relation. See also how an ORM would work in this situation:

echo $invoice_template->getCompany()->getName();
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for the answer. I didn't understand why I shouldn't do this? The company data is in the db. the file only populates it into variables , so that the app can access it with an include. Is that risky? Please explain.
and echo eval($header) may work but, doesn't work in my setup. because that variable and others are in a variable, used to display the invoice as pdf. eg. The real string is like $pdfcontent = <<<EOF html...<h1>$header</h1>...more html EOF; . and I am using TCPDF. The output I now get is eval($comapny)
As I still discourage you to go this path, it would be something like $company = 'My Company'; $which = '$company'; eval("\$which = $which;"); echo $which;
I am thinking about redesigning my db/code, instead of doing it. Thanks
1

You don't want to do this. You're just opening up too many potential vulnerabilities mixing code and data like that - just imagine what happens when an attacker gains access to your database (either directly or through SQL injection) and puts all sorts of crazy PHP code into that column? Using just a single vulnerability like this, an attacker might be able to take over the entire server. What you want is probably a combination of a proper database structure, using joins to query for related information in one go, and maybe a simple text search-and-replace (using str_replace or maybe even preg_replace) to fill text templates with actual data.

Improve this answer

2 Comments

Thanks. I could replace $company with a pseudo variable like #company and then preg_replace #company with the current company name.
You can use $company as well, just don't feed it to eval() or similarly evil constructs. Also, str_replace() does the job faster than preg_replace(), as long as you don't need anything fancy.
1

If $header is set to the literal string value $company and the variable $company is set to the string Company One then this should work:

echo "Header is ". $$header; // outputs 'Header is Company One'

However, as others have said, this is not a good idea, particularly for security.

Improve this answer

1 Comment

As I agree this idea is also an ugly idea, it wouldn't like this. $header should then be set to the literal string value company. Otherwise php throws a notice: 'Undefined variable $company'. This should work: $header = substr($header,1); $header=$$header; echo $header;. Still, this is as ugly as eval().

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.