mananx Posted January 21, 2009 Share Posted January 21, 2009 Hi , My site has a backend , the backend stores data through a WYSISYG editor . This editor is using html entity encode function to store any changes in the database through backend . To display the data stored my site uses htmlentitydecode() function by fetching an object from database . I want to include a php function in the site , however when i enter php function through backend , it simply echoes all php code . e.g. <?php echo "hello"; ?> page displaying code is php itself. Any way to get around this problem ? Thanks Quote Link to comment Share on other sites More sharing options...
haku Posted January 21, 2009 Share Posted January 21, 2009 First off - you posted this in the wrong section. This is the HTML help section. Next - you shouldn't need to use html encode to put data in the database. I am assuming you are doing this to prevent injection attacks. You don't need to do that - there other functions made for escaping data for entry into the database. You can use this code: function clean_query($string) { if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } return $string; } It escapes elements like slashes and quotes. You don't need to do anything on the other side when you are taking the data out of the database. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 21, 2009 Share Posted January 21, 2009 you need to eval() it, this should work: $content = 'This is a <?php echo "hello"; ?> world script'; eval('?>'.$content); obviously this is a HUGE security risk. only let trust and knowledgeable people edit what $content is... Quote Link to comment Share on other sites More sharing options...
mananx Posted January 21, 2009 Author Share Posted January 21, 2009 Thanks for very quick reply.. I am sorry , it's using this function to put data into database . if(isset($_POST['save'])) { $page_name=$_REQUEST['show']; $description=htmlentities( $_POST['elm1']); $sql="UPDATE pages SET description = '".$description."' WHERE page_name = '".$page_name."'"; $db->ExecuteQuery($sql); header("location:index.php?show=".$page_name); exit(); } ?> Now what I would want is , that whenever it sees any <?php ?> it should execute it as a code instead of html plain. so should i do this ? clean_query($description) ; before calling db > executequery ? Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 21, 2009 Share Posted January 21, 2009 well, the PHP code needs to be processed sometime, but do you want to do that before it goes in the DB? usually, you would want the PHP run when the page displays what is in the DB. Quote Link to comment Share on other sites More sharing options...
mananx Posted January 21, 2009 Author Share Posted January 21, 2009 thanks for the reply rhodesa I would want pages stored in database to have urls generated through php . So it'll have to be done before putting data into database . this is how urls are generated : <a href = "<? php createurl(www.google.com); ?>" > visit google < /a > where function would return google.com if session is set , otherwise it'll return url to sign in page ( function takes care of this ) . so will clean_query($description) ; serve the purpose ? Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 21, 2009 Share Posted January 21, 2009 ok... <?php if(isset($_POST['save'])) { $page_name = $_REQUEST['show']; ob_start(); eval('?>'.$_POST['elm1']); $description = ob_get_clean(); $sql="UPDATE pages SET description = '".mysql_real_escape_string($description)."' WHERE page_name = '".mysql_real_escape_string($page_name)."'"; $db->ExecuteQuery($sql); header("location:index.php?show=".$page_name); exit(); } ?> this is a HUGE security vulnerability though (allowing POSTed code to run in eval()). make sure this page is highly restricted edit: for some reason, it is dropping a single quote. there is supposed to be one in the eval before the ? Quote Link to comment Share on other sites More sharing options...
mananx Posted January 21, 2009 Author Share Posted January 21, 2009 cool , i got that , thanx . one last thing : do i need to change the way my output is being displayed as well ? <? echo html_entity_decode($obj->description);?> Thanks indeed . Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 21, 2009 Share Posted January 21, 2009 yes...there is no need to encode, therefore no need to decode Quote Link to comment Share on other sites More sharing options...
mananx Posted January 21, 2009 Author Share Posted January 21, 2009 great i m trying to search through net for eval , but am still unable to understant what will ?> do eval(?>'.$_POST['elm1']); like for example $_POST['eml'] = <html><head></head><body><a href = "<? php createurl(www.google.com); ?>" > visit google < /a > </body></html> then what purpose would concatenating '?>' do .. Quote Link to comment Share on other sites More sharing options...
mananx Posted January 21, 2009 Author Share Posted January 21, 2009 http://www.zimmertech.com/tutorials/php/51/evaluate-php-code-from-mysql.php found it here thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.