lxndr Posted April 12, 2008 Share Posted April 12, 2008 I'm currently displaying a series of web pages based on HTML code and content which is stored in an SQL table. This works fine. Basically, the data is read into a php variable and then displayed using php echo statement. What I'd like to be able to do is incorporate php statements into the code stored in the SQL database but when I do that currently the php code does not get interpreted but merely left as the original code and ignored. Presumably this is because I'm echoing the content .. is there a way round this, i.e. I can read in the php code from the database AND have it interpreted as part of the web page display. Thanks in advance for any help. Ian Link to comment https://forums.phpfreaks.com/topic/100744-reading-php-statements-from-an-sql-table/ Share on other sites More sharing options...
raku Posted April 12, 2008 Share Posted April 12, 2008 Hi, I don't think that it's safe / secure to have php interpret statements from a database. There aren't really any ways to prevent injection of dangerous code that way. Either way, not sure how you could make that work. Perhaps make a function with the code that you could call? Or have the sql database store some data that the function can interpret and create code that does what you're looking for if the code differs from query to query. Link to comment https://forums.phpfreaks.com/topic/100744-reading-php-statements-from-an-sql-table/#findComment-515327 Share on other sites More sharing options...
craygo Posted April 12, 2008 Share Posted April 12, 2008 Not sure how it's done exactly but it can be done. a mod for SMF forums called tinyportal allows you to store php into the database and it is outputed to the browser. Let me check to see how they do it. Ray Link to comment https://forums.phpfreaks.com/topic/100744-reading-php-statements-from-an-sql-table/#findComment-515328 Share on other sites More sharing options...
PFMaBiSmAd Posted April 12, 2008 Share Posted April 12, 2008 You can use the eval() function, but this breaks a prime rule of programming - separation of code and data (content.) If the data in the database can in any way, deliberately or accidentally (sql injection), come from user (spam bot) supplied input, then you are just asking for your web server to be taken over. Link to comment https://forums.phpfreaks.com/topic/100744-reading-php-statements-from-an-sql-table/#findComment-515330 Share on other sites More sharing options...
lxndr Posted April 12, 2008 Author Share Posted April 12, 2008 You can use the eval() function, but this breaks a prime rule of programming - separation of code and data (content.) If the data in the database can in any way, deliberately or accidentally (sql injection), come from user (spam bot) supplied input, then you are just asking for your web server to be taken over. I've basically been writing (for free) a series of web pages for a charity organisation and they regularly want their pages updating. Because I'm not always able to do it for them immediately I wrote a series of admin functions for them which allow them to change some of the page content. These functions are behind 2 layers of password protection ... I'm not sure whether that would be considered secure enough ? __ Link to comment https://forums.phpfreaks.com/topic/100744-reading-php-statements-from-an-sql-table/#findComment-515332 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.