0

Im managing my web content a DB. When you hit a certian page, a query is made to the db to return the content for that page. Usualy I just store static html as a string and when it's returned from the db and placed into the webpage, it renders correctly. But now, some of the content actually contains php and when returned, the php is displayed as text. I looked in the eval() function but doesnt seem to work for me, or perhaps I'm using it wrong.

Here is and example of my code:

mysql_select_db("default_DB1", $con);

                $result = mysql_query("SELECT * FROM submenus WHERE active = '1' and menu_id='" . $_GET['article'] . "'");

    echo "<ul>\n";
                $counter = 1;
                while($row = mysql_fetch_array($result))
                {
                        echo "<li><a href=\"#tabs-" . $counter . "\" onclick=\"storySize('tabs-" . $counter . "');\">" . $row['submenu_name'] . "</a></li>\n";
                        $counter = $counter + 1;                    
                }
                echo "</ul>\n";

                $counter = 1;
                $result2 = mysql_query("SELECT * FROM submenus WHERE active = '1' AND menu_id='" . $_GET['article'] . "'");
                while($row2 = mysql_fetch_array($result2))
                {
                        echo "<div id=\"tabs-" . $counter . "\" style=\"height:100%; overflow:visible;\">" . str_replace("*#*","'",$row2['submenu_content']) . "</div>\n";                      
                        $counter = $counter + 1;
                }

                mysql_close($con);

Then the content returned is:

<table width="100%">
<tr>
<td align="right">Username: </td>
<td align="left"><input type="text" id="txtUsername" name="txtUsername" value=""></td>
</tr>
<tr>
<td align="right">Password: </td>
<td align="left"><input type="text" id="txtPassword" name="txtPassword" value=""></td>
</tr>
<tr>
<td>User Type</td><td><select id="ddlUserType" name="ddlUserType">

$con = mysql_connect("domain.com","username","pwd");
if (!$con)
  {
  die(#*#Could not connect: #*# . mysql_error());
  }

mysql_select_db("default_DB1", $con);

$result = mysql_query("SELECT * FROM user_types WHERE user_type_name <> #*#Admin#*# and active = #*#1#*#");

while($row = mysql_fetch_array($result))
  {
  echo "<option value=\"" . $row[#*#user_type_id#*#] . "\">" . $row[#*#user_type_name#*#] . "</option>";
  }

mysql_close($con);

</select></td>
</tr>
<tr>
<td align="right"></td>
<td align="left"><input type="button" id="txtReg" name="txtReg" value="Register" onclick="alert(*#*plaka*#*);"></td>
</tr>
</table>
Improve this question
1
  • "SELECT * FROM submenus WHERE active = '1' and menu_id='" . $_GET['article'] . "'" You should really reconsider this, since it is VERY insecure and dangerous to have code like this lying around. Commented Jun 30, 2010 at 17:38

1 Answer 1

Reset to default
2

First off, look at eval. The reason I suspect it's not working, is that eval expects the code to start with php code (meaning it prepends an opening <?php. So it's trying to execute the HTML as php. To solve, simply prepend your code with ?> prior to feeding it into eval()...

Secondly, this is generally considered very bad practice. It makes it less secure (since a SQL Injection vulnerability can actually affect the server rather than just the data) and harder to maintain (since your code now lives in two places).

I would HIGHLY suggest finding another solution to your problem...

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I second this. Very bad idea.
Cool. Thanks for the advice, I'll look into another method of doing it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.