1

I am storing in a mySQL table the HTML/PHP content of individual slides to be displayed on a single page.

Here is an example of HTML/PHP code stored in the mySQL table:

<p>Welcome <?php echo $userData['fname']; ?>!</p>

<p>You made it to the first slide!</p>

I retrieve the content of the slides in PHP with the following code:

<?php 

$fetchedPageSlideData = mysql_query("SELECT * FROM pageSlides WHERE pageID = $pageID ORDER BY 'order' DESC") or die(mysql_error());

    while ($pageSlideData = mysql_fetch_array($fetchedPageSlideData)) {

        $pageSlideContent =  $pageSlideData['content']; ?>

        <div><?php echo $pageSlideContent; ?></div>

    <?php }

?>

All of the HTML of the content displays correctly, but the PHP is inserted as follows:

<!--?php echo $userData['fname']; ?-->

So the PHP is commented out and doesn't display.

How can I retrieve the HTML/PHP code and have the PHP not commented out?

Improve this question
13
  • What is the content of the database relevant to the code that has been inserted into the output HTML? Commented Nov 16, 2011 at 15:45
  • 3
    Stroing PHP code in database is bed pratice Commented Nov 16, 2011 at 15:45
  • @ShaktiSingh: It depends on the specific case. But yes, it may be incorrect in this case. Commented Nov 16, 2011 at 15:46
  • I suspect that it is the code before and after your echo that is causing your code to be commented out. Commented Nov 16, 2011 at 15:46
  • @Tadeck The PHP outputs the user's first name. Is that what you were asking Tadeck? Commented Nov 16, 2011 at 15:47

3 Answers 3

Reset to default
2

It might be a better idea to use placeholder strings in the DB data. Executing arbitrary php code from a DB can be dangerous. PHP is Evil

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! I'm looking into the use of placeholder strings. This might accomplish what I'm trying to do. Thanks again.
A good place to start: stackoverflow.com/questions/828645/…
1

Look into PHP function eval(): http://php.net/manual/en/function.eval.php

Improve this answer

1 Comment

Thanks. I checked out eval(), but it looks like it has to be within PHP, which just gets commented out.
0

Dropping in and out of the PHP interpreter makes your code rather difficult to read. Consider:

<?php 
    $f = mysql_query(
      "SELECT * 
        FROM pageSlides 
        WHERE pageID = $pageID 
        ORDER BY 'order' DESC"
      ) or die(mysql_error());

    while ($d = mysql_fetch_array($f)) {
       print "<div>" . $d['content'] . "</div>\n";
    }

Regardless there is no implicit nor explicit mechanism here which would inject the comment tags you've presented. However it may be the browser trying to make sense of the unescaped html code and <?php ... ?> tags.

Try:

 print "<div>" . htmlentities($d['content']) . "</div>\n";

As a side note, you might consider using 

   print "<div>" . highlight_string($d['content']) . "</div>\n";

Or do you mean that you actually want to run the code stored in the database - if so, you're asking for a world of pain. Eval is not evil - but you really must know what you're doing to avoid getting bitten by it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.