0

I am storing PHP snippets in a MySQL database, I am using mysql_real_escape_string and all is well unless there is a & in the php code and then I get a MySQL error. Is there another why I should try and store this information?

Thanks

Improve this question
12
  • 2
    Which MySQL error do you get? Commented Jun 7, 2011 at 10:15
  • 4
    Perhaps base64_encode would be useful. Commented Jun 7, 2011 at 10:16
  • What is the MySQL Error you are getting? Commented Jun 7, 2011 at 10:17
  • 2
    It's because values are not quoted in query, read this: stackoverflow.com/questions/6198104/… Commented Jun 7, 2011 at 10:18
  • @Andre Backlund and how will you implement full text search after that? It's just useless overhead in this case. Commented Jun 7, 2011 at 10:20

3 Answers 3

Reset to default
3

@Peter : unless you're building a website for helping developers, you have no reason to put php code into your database, it's a warning : this is gonna be a big nightmare to maintain/debug. Can't you link your pages to some parameters and then in your code use these parameters to build each request ? it may seems a simple design solution at the beginning "how god I can do whatever I want in all my pages" but it might be the worse you're taking on your poject.

I don't know how to say this but you should really try to consider an other solution. And i'm not speaing about security : if you have an SQL Injection the guy can execute SQL AND php so he can really take all your system/server down, or even attack bigger site with yours (and then you'll be responsible).

I'm really surprised everyone is fine with it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Use base64_encode when you save snippet into the database and base64_decode when you retreive it.

Improve this answer

8 Comments

Don't do it, because search in DB will be impossible.
upvoted answer. the OP wants to store code in DB, and base64 encoding is a proper solution. Also, searching the DB won't be impossible, just searching the actual code (why would that be needed anyway?)
He can store code in DB without stupid encodings! Pluses of base64 here: none; minuses: search will be disabled, overhead to encode/decode.
I just tried base64_encode but mysql still only stored up to the & is the problem maybe passing the & via post?
@Peter: Post your solution to the problem here as a new answer, and accept it.
|
0

First, I am going to go on record and say I wholeheartedly agree with remi bourgarel. This is likely a bad idea.

But, from a technical standpoint here's how I'd do this IF I NEEDED TO:

$php_code = '
    <?php
        $var = "this is a string";
        $var = strtoupper($var);
        echo $var;
    ?>
';
$php_code = bin2hex($php_code);
$db->query("INSERT INTO php_code_snips (text_code) VALUES(x'{$php_code}')");

bin2hex will transform the string $php_code from a binary string to a hex string, and the x'{$php_code}' tells mysql to expect a hex string.

This means the string is stored as a string in the DB, and is fully searchable. But, since all chars are encoded as hex during the INSERT the special chars won't cause a problem.

Documentation:

bin2hex

Mysql Hex Values

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.