0

I want to be able to put PHP into the database and run it. I have to do this because I store page layouts in the database and each our different for each other, however in some cases I want to use dynamic content for some of the pages.

Assume $query_from_db is the string returned from the database. PHP should only eval() the code in between <?php and ?> 

$query_from_db  = '<div>
<?php

//php to run
function dosomething() {
     //bleh
}

?>
</div>
';


php echo eval($query_from_db);

How can I do this? I'm aware this is not recommended.

Improve this question
10
  • 4
    its unsafe, slow, harder to develop and maintain, have you considered a templeting engine? Commented Feb 21, 2011 at 23:26
  • It would save you of a lot of trouble if you could put everything inside <?php ...?> with echos. (echo "<div>";//php to run ...) Commented Feb 21, 2011 at 23:26
  • @Eelvex, ahh so your saying just insert the content in the database as if its php in the first place and the just eval the whole thing. Commented Feb 21, 2011 at 23:28
  • 3
    "I have to do this" is almost certainly wrong. This whole enterprise is a terrible idea. Commented Feb 21, 2011 at 23:28
  • 1
    @Tomalak Geret'kal, your so great at smashing the idea down, why in the hell don't you try offering an alternative method instead. Commented Feb 21, 2011 at 23:30

3 Answers 3

Reset to default
3

I'm not arguing about the sense or nonsense of this approach. To some extend, this is a valid question.

See the documentation:

To mix HTML output and PHP code you can use a closing PHP tag to leave PHP mode.

So you have to do:

eval('?> ' .  $query_from_db . ' <?php ');

DEMO

Also note that eval is outputting directly to the browser. It does not return a value. Have a look at Output Control Functions for buffering.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Is this safe as long as the content in the database isn't assessable to outside sources and only to me?
yes it is "safe" but its against almost every programming paradigm i know ;D but well everybody has his/her own style!
@kr1zmo: In a perfect world, it should be safe. There could always be problems. E.g. your stored code reads other (unsafe) user generated data. You might make mistakes. The other thing is that the stored code is more difficult to maintain. There are use cases for it, but I would avoid using it if possible.
@kr1zmo: In your case, using templates would be indeed better imo.
next task is Output Control Functions for buffering. So I can output eval to a string to run json_decode() on it.
|
0

You are aware that this is not recommended and I strongly urge everyone to review the comments to this question.

But to provide an answer:

<?php

$string = 'hello <?php echo "world"; ?>';

eval('?>'.$string.'<?'); // will output "hello world";

be aware that this however will not work:

<?php

$string = 'hello <?php echo "world"; ?>';

eval('?>'.$string.'<?php'); // error will be thown

This works again:

<?php

$string = 'hello <?php echo "world"; ?>';

eval('?> '.$string.' <?php '); // will output "hello world";

i am not really sure why.

following up on your comment to grab the output you can do:

<?php

$string = 'hello <?php echo "world"; ?>';

ob_start();
eval('?> '.$string.' <?php '); // will output "hello world";
$output = ob_get_clean(); // $output will now contain "hello world". No text will have ben printed.
Improve this answer

7 Comments

Explain to my why everyone freaks out about eval, If I'm the only one that has access to the content thats running in the eval()?
because it is often used in situations where better, faster and more stable solutions are available. but in some rare cases its useful and the only right solution. thats why its not deprecated. those are however very rare.
well i wouldnt count performance as a valid point here. there are far worse teqniques that are perfectly accepted (regarding performance). of course its not so fast but its not something that exponentially slows down your application and its not so bad as well. if you get into discussion about performance on this level you should switch to another language. injection is a valid point, but thats up to the programmer all the way through. are mysql functions bad beacuse they can possibly used to inject malicious code? style is a question of style! maintainability. as said. different opinions.
in fact maintainability can be potentially improved by eval because you achieve a higher granularity and code is encapsulated. no cross dependencies, other models, template enginges etc. if its only a small, secure, closed portion of code having it all together int he template maby easier to maintain. i avoid eval too. in fact i never used it in a production environment afaik. but i just want to say that the common arguments are not as trivial as they may seem at first
@Joe: I agree with your main points. Mainly, it's the combination of these (and other) "problems" that make the use of eval questionable.
|
0

If you want to avoid the eval stigmata, you can alternatively use:

include("data:,$query_from_db");

It's just another name for eval which doesn't upset people as much. It depends on the php.ini setting allow_url_include however.

What you are doing is functionally equivalent to include("$template/$by_name.php"); and just differs in that you didn't put the database content into a file before. (But that's the other workaround: file_put_contents && include).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.