0

Good night, I have a code that substitutes the data from the request and displays it, like this:

    $client = User::find($data['$id']);
    $execute = 'Send command ';
    $execute .=  $client->id;
    dd($execute);

It return

^ "Send command 1"

Everything is working. But I want that if I add a variable to the database, for example, like this

$client->id

, and call it, then I need the code to process it as a variable, and not as a string, how to do this, thanks)

Example: (inside the variable $cliend in the database will be the following code:

$client->id

Code:

 $client = DB::table('users')->where('id', $id)->value('id');
    $execute = 'Send command ';
    $execute .=  $client;
    dd($execute);

It is necessary that this variable be executed as a variable. and returned its value not from the database, but as in the first example

Improve this question
6
  • If I don't mistake you, you want the put the variable name into the string? Why not just use \ to escape as you would anything else as per the documentation? If $client holds a variable, then you can access it correspondingly Commented Jul 26, 2022 at 21:27
  • I'm trying to make the variable that I got from the database called and return some value to me, and not be returned as a string, for example. I will write $client->id in the code, it will return the id to me, I want to put this $client->id into the database and when I output this from the database, I want it to be executed and not output as a regular string Commented Jul 26, 2022 at 21:39
  • Ok, I mean, I would never suggest to eval() untrusted user input but I don't think there is a way to do this using variables variable so use this at your own discretion - this just means your database design is failing if you're doing this. Commented Jul 26, 2022 at 21:44
  • This looks like an XY problem and therefore I would recommend you also share your motivation for pursuing this solution. Broadly speaking storing PHP code in a database for later execution is not recommended and in almost all cases there are much better alternatives to solve the given problem Commented Jul 26, 2022 at 21:56
  • @apokryfos Hello, i need this so that the administrator can add a command that will then be sent to the console, while still accepting external variables such as client id. Commented Jul 26, 2022 at 22:00

1 Answer 1

Reset to default
1

Having to store variable names into the database is extremely bad practice although PHP does natively support variables variable.

In your case, I do not see how you could implement this against an object without having to eval some additional code against, assumingly, untrusted user input.

I would first suggest redesigning your database logic to avoid this but if this is necessary or/and your data is controlled then here is a solution:

// Your object you want to access the value of
$client = (object) ['id' => 1];

// Data from your SQL statement that stores that variable name
$databaseValue = '$client->id';

// Eval and store result as variable
eval("\$value = {$databaseValue};");

// Result: Send command 1
echo "Send command {$value}";

See it working over at 3v4l.org

Some additional thoughts, you could potentially use regex to capture that the stored data is indeed a variable and only grab the first match.

^\$(?:[a-z]||[A-Z])\S+

You can see an example of this over on 3v4l.org where we remove any potential bad stuff from the data but this is a very blacklisted approach and you should always look to take a whitelisted approach. Just hoping this helps down the line somewhere else.

For some explanation, please checkout regex101 where I added some examples how this could be easily escaped and is no way the ultimate solution.

Update: Here is another regex you could potentially use to narrow down this even further.

(?:\s|^)\$(?:[^\s]+?)(?:[a-z])+(?:->|$)?(?:[a-z]|[A-Z])+

Example and explanation can be found over at Regex101. PHP example can be found over at 3v4l.org (which remember is still never perfect).

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks! I need this so that the administrator can add a command that will then be sent to the console, while still accepting external variables such as client id. Thanks again!
No problem - just try to ensure you take a whitelisted approach when storing the variables - you could perhaps use regular expressions to ensure only a variable is passed if not.
Hm, i try like this, and variable don`t execute 3v4l.org/IFcrC (example from my code) My mysql query: status $client->id
Read the eval() you're creating a new variable named $value which will contain the variables value. Use that :)
You save my life! Very thanks!!! Thankss!!!
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.