4

How to return php code from mysql row 'content' record where it might contain just plain text like:

Hello!

or/and php like:

Lets try some php: <?php echo phpinfo(); ?>

without casing speed performance when it contains just plain text?

Here is an example when it returns php on using include(), but in this case it's not what I am asking for (I am asking the case where all content php will come from mysql).

mysql record:

+---------------+
| id |  content |
|---------------|
|  0 | test.php |
+---------------+

test.php content <?php echo phpinfo(); ?>

trying to return php from mysql trough include() :

$result=mysql_query("SELECT content FROM test WHERE id=0");
while($row=@mysql_fetch_array($result,MYSQL_ASSOC)){
    $row[]=array('row'=>array_map('htmlspecialchars',$row));
    $content=$row['content'];
    ob_start();
    include $content;
    $content=ob_get_contents();
    ob_end_clean();
    echo $content;
}
mysql_close($con);
Improve this question
6
  • So you have PHP code interspersed with plain text in your fields, but you want to extract (and use?) only the PHP content? Commented Jun 28, 2011 at 19:00
  • @Jonathan Sampson - both of them like php acts. For example Hello <?php $text='there';echo$text;?>! will return Hello there!. Commented Jun 28, 2011 at 19:05
  • @yes123 - it does not meter. The main think is the question. Commented Jun 28, 2011 at 19:06
  • 2
    @Binyamin @Karolis provided the correct answer (to use eval() on the contents), but please be very careful when doing this. This is generally frowned upon. Commented Jun 28, 2011 at 19:07
  • 1
    Why do you ob_.. if you echo it on the next line? Commented Jun 28, 2011 at 19:12

2 Answers 2

Reset to default
4

Try to evaluate the content of the record: eval($row['content']);

COMPLEMENT: You have a mixed html+php code in your case and this means that you need to use a closing PHP tag to leave PHP mode, so in your particular case this may look something like this: 

eval( '?>'. $row['content'] .'<?php ' );

Note: leave the extra space after the opening tag, because it has some issues: http://www.php.net/manual/en/function.eval.php#97063

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@Binyamin: When eval() is the answer, you're asking the wrong question. Karolis is correct in this case: you would have to eval() your code to achieve the results you desire. However, your design needs to be fixed. Storing code in a database and arbitrarily executing that code is insecure and inefficient.
Sometimes you are tied to a system and can't do things the way you'd prefer. Generally, it's the will of the employer, and unless you sign your own paychecks you generally can't get around this.
Are there any secure way to do it, like with template style {{content_id,current_time}} without eval()?
@Binyamin (1) Actually, this way is not insecure. In my opinion the arguments about eval and security are exaggerated. I think Like always, everything depends on particular application design only. The function itself has nothing to do with security. All security depends on how you handle the argument passed to this function. (2) You can create a function get_content(content_id, current_time). Inside this function do a strict validation of the arguments and run eval(). Then whenever you need eval() in you code, use get_content() instead.
1

PHP Code in the DB sucks, but I've been in situations before where it had to be done because my employer would not let me rewrite the system in such a way as to avoid it, so here's a general version of the solution we used:

$string = 'this <?php echo "is not"; ?> cool';

function exec_php($php_string) {
    return preg_replace_callback(
        '/<\?(?:php)?(.*)\?>/m',
        'exec_php_embed',
        $string
    );
}

function exec_php_embed(array $args) {
    if (count($args) != 2) {
        return '';
    }
    list(,$code) = $args;
    ob_start();
    eval($code);
    return ob_get_clean();
}

Note: BE VERY VERY CAREFUL WITH THIS! DO NOT EXECUTE USER GENERATED CONTENT WITH THIS! Try to replace this as soon as possible!

Using eval() is not just inefficient, it's dangerous when used even slightly improperly. While I highly discourage the use of things like the above, I do imagine it will prove to be a solution to your immediate problem. I do not guarantee it won't create more problems of its own ;)

As GNU says:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.