I have a basic cms that stores pages in a table in a mysql database - is it possible for me to include PHP in a page and then have PHP process it rather than just output it as-is?
3 Answers
Comments
I think you'd have to use eval() to do such a thing. So yeah, possible but not recommended.
4 Comments
el joe
Can I ask what the security problems with this would be? (I am the only person who can add content to the database and I do this via phpmyadmin)
Darrell Brogdon
I think you would have more issues with performance than security. eval() is pretty expensive since PHP has to essentially spawn another interpreter for each call of eval().
wallyk
Also, that would be—at best—inconvenient to debug.
tstenner
Are you sure that you're the only one with access to the database? Using eval would turn a simple SQL-injection into a security nightmare.
As both suggestions have indicated, using eval() is not recommended and poses a serious security issue.
Your best bet would be to create a basic templating system. You could have a pre-determined set of PHP code blocks on the frontend which are triggered by certain key values on the backend, i.e. {show_categories} could be a tag that when parsed, gets replaced with all categories.
To implement such functionality you would have to search for the particular template key values. If any such key values are found, run the associated code with that key value and replace the key with the code.
A very basic example of finding and replacing a template key:
// check if the show_categories key is found
if (strpos($body, '{show_categories}') !== false) {
// generate the show categories output from a PHP function
$categories = getCategoriesOutput();
// replace key with content
str_replace('{show_categories}', $categories, $body);
}
