Forum Moderators: coopster
Thought I had this taken care of yesterday with the assistance of another member here, but an anomaly has suddenly crept in that I can't figure out.
I draw all of my text content from a mysql DB. This content already has HTML formatting applied and will generally look like this example:
<h1>Some headline</h1>
<p>Some text goes here on this line</p>
This text does change of course depending upon the page which is called. On some pages, I find it necessary to have one or more php vars included in the database text to vary the page content, like this:
//these vars are initialized before the base text is drawn from the db
$headVariation = 'about yacht crews';
$textVariation = 'regarding crewing in southeast asia';
//DB text:
<h1>Some headline $headVariation</h1>
<p>Some text goes here on this line $textVariation</p>
After I draw the information from the DB into a record set named $result I've followed the php manual and do this:
eval("\$content = \"$content\";");
echo $content;
Now, on SOME pages (with or without $vars in the db text) this works just fine - record sets with vars show up with the proper variable values included; those pages without vars display as expected...
But while undergoing QA on the entire project, I've noticed, that some pages (those without $vars in the db text) are now throwing Unexpected T_STRING errors - which specify the eval() function - on OR DIRECTLY AFTER the lines where the eval() function is called.
Am I somehow doing - eval("\$content = \"$content\";"); - incorrectly? Or is this perhaps an issue of how I'm indicating the $var in the DB text?
As mentioned, I've basically copy/pasted the example shown in the PHP manual so I don't know where I'm going wrong.
Has anyone else had this problem?
Neophyte
If I echo out $content to the screen BEFORE doing an eval(), database content that HAS an embedded $var what I get on the screen is like this:
this is some string with a $var
Doing an eval BEFORE the echo gives me results as expected.
Those pages which don't have a $var in the db text still get the same error:
Parse error: parse error, unexpected T_STRING in F:\WEBDEV\_Koisis Base Directory\display\content_generic\dsp_generic_con_main.php(6) : eval()'d code on line 5
Is there a better way to do this without using eval()?
Neophyte
it looks like the line being eval'ed needs to be fully qualified
Thanks for that, but what do you mean "it looks like the line being eval'ed needs to be fully qualified"? As if the entire string isn't being evaluated or something?
I'll do some testing based on the eval() user notes which are using "ob" functions. Maybe that'll help.
=>eval("\$content = \"$content\";");
=>eval('$content = "' . $content . '";');
=>eval('$content = "' . 'hamburgers' . '";');
=>eval('$content = "hamburgers";');
$content = "hamburgers";
That seems all well and good. Now watch what happens if $content = <"Does this dress make me look fat?", she asked.>:
=>eval("\$content = \"$content\";");
$content = ""Does this dress make me look fat?", she asked.";
Oops! Syntax errors ahoy! Now watch what happens if $content = <"; print "Iz in ur PHP, runnin ur codez!".">;
=>eval("\$content = \"$content\";");
$content = ""; print "Iz in ur PHP, runnin ur codez!"."";
See the problem? Not only do you end up with syntax errors when users use quotes, you've accidentally allowed people to execute arbitrary PHP code. This is generally considered a Bad Thing.
This is the exact same problem people have which causes SQL injection vulnerabilities, JavaScript injection vulnerabilities, and probably some others I'm forgetting.
There are a number of ways to fix your problem, but rather than list them all off, I'm going to give you a chance to figure them out for yourself. (Though anybody who knows the answer is welcome to chime in.) ;)
