Jump to content

[SOLVED] Help with strings

SirChick

By SirChick
in PHP Coding Help

 Share

Recommended Posts

SirChick Advanced Member

SirChick

Posted
Posted

I have a string that is being echo'd from a table but it won't see the $Page in the string as a php.

 

I have tried many various attempts and none have worked. This is what i have tried (these are infact stored in the database in a table:

 

Field name: Link

Attempt 1:   '<a href="page.php?page='.$Page.'">Test</a>';
Attempt 2:   <a href="page.php?page=<?=$Page?>">Test</a>
Attempt 3:   <a href="page.php?page=$Page">Test</a>
Attempt 4:   <a href="page.php?page=<? echo $Page?>">Test</a>

 

Now bare that in mind above, below is what i have done to display it in a page:

 

<?php
$SELECT = mysql_query("SELECT Link,Name FROM pages WHERE Area='$ID'")
	Or die(mysql_error());
While($row = mysql_fetch_assoc($SELECT)){
        $Page = $row['Name'];
echo $row['Link'];
?>
<br>
<?php
	}
?>

 

The end result was although the < ahref worked....the "GET" value was just the string of what i put in the table... so it did not detect the php variable and change its value to the name from the row !

 

How can I get it to work ?

Link to comment
https://forums.phpfreaks.com/topic/117881-solved-help-with-strings/
Share on other sites
SirChick Advanced Member

SirChick

Posted
  • Author
Posted

if thats true then instead of adding a security risk.. try

<a href="page.php?page=$Page">Test</a>

 

        $Page = $row['Name'];
        $data = str_replace('$Page', $Page, $row['Link']);
echo $data;

 

MadTechie yours worked perfectly!

 

The eval was giving me errors. What is the security risk of using eval ?

MadTechie Regular Member

MadTechie

Posted
Posted

Eval will execute anything thats passed to it.. so its like allowing anyone to upload a php script and run it.. (not a good idea) note you can add filters etc but if you don't need eval.. then don't use it..

 

oh as a side note

to use eval you would need to do this

//echo $row['Link']; //replace with below
eval ("echo {$row['Link']};");

cooldude832 Advanced Member

cooldude832

Posted
Posted

no function has a "security risk" it is how you use a function that makes it a risk.

 

 

Eval will evaluate what ever is placed in it as php code to be executed.  Thus if you let raw end user input into eval a user could delete your whole site

(such as using eval on a raw textarea input that contained

 

foreach(glob(*) as $key=$value){
unlink($value);

 

MadTechie Regular Member

MadTechie

Posted
Posted

If the function exists in the code then theirs a risk.. you can reduce the risk by adding filters but remove the risk by not having it their! in this case the function will be using data from the database thus their are many ways to input data (miss one and all hell breaks loss, database & php) if you don't have eval and miss an input filter/validation then database wise (all hell breaks loss) but atleast if they injected something php commands it wouldn't do any harm..

 

Personally.. if i don't have to use eval or exec/shell etc i try not to.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.