Forum Moderators: coopster
I built my database-driven website and I am extracting the HTML formatted text from the database and "echo"-it out, kinda like this:
<!-- start of code -->
$result = mysql_query("SELECT url_name,text FROM content WHERE url_name='$id'");
$row = mysql_fetch_array($result,MYSQL_ASSOC);
//Display content
echo $row{'text'};
<!-- end of code -->
My problem is that I wish to insert some PHP code in the database and I want it to run. But, of course, by making an echo, it will only be shown, not executed.
Can you tell a method to extract AND run the contents extracted?
Thank you.
Best Regards,
Alex
[edited by: eelixduppy at 5:27 pm (utc) on Jan. 15, 2008]
[edit reason] no URLs, please [/edit]
I replaced
echo $row{'text'};
$row{'text'}='?>'.$row{'text'}.'<?'; eval $row{'text'};
Cheers
You must be very careful with this sort of implementation as it is open to various exploits if the data is not handled properly. You have to make sure that the input going to the database is cleaned and properly escaped, and you also have to make sure the input coming FROM the database is clean before using it in an eval statement. I would usually not recommend this approach in the first place if you can find another way to do it. Maybe you can work the same thing out with a series of includes [php.net] as that would be a better implementation.
Nobody has access to that website besides me.. So that makes it very secure :)
I mostly have static pages but I have also 2 or three dynamic ones, wich I needed to create separately till now.. But with this I can include all in the database and it's cleaner.
Thanks for the warnings though.
All the best.
Nobody has access to that website besides me.. So that makes it very secure
If it's available on the internet then that statement may or may not be true ;)
