Jump to content

php function within html entity decode

mananx

By mananx
in HTML Help

 Share

Recommended Posts

mananx Newbie

mananx

Posted
Posted

Hi ,

 

My site has a backend , the backend stores data through a WYSISYG editor . This editor is using html entity encode function to store any changes in the database through backend .

 

To display the data stored my site uses htmlentitydecode() function by fetching an object from database .

 

I want to include a php function in the site , however when i enter php function through backend , it simply echoes all php code . e.g. <?php echo "hello"; ?>

 

page displaying code is php itself.

 

Any way to get around this problem ?

 

Thanks

Link to comment
https://forums.phpfreaks.com/topic/141762-php-function-within-html-entity-decode/
Share on other sites
haku Regular Member

haku

Posted
Posted

First off - you posted this in the wrong section. This is the HTML help section.

 

Next - you shouldn't need to use html encode to put data in the database. I am assuming you are doing this to prevent injection attacks. You don't need to do that - there other functions made for escaping data for entry into the database.

 

You can use this code:

 

function clean_query($string)
{
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
	$string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
	$string = mysql_real_escape_string($string);
  }
  else
  {
	$string = mysql_escape_string($string);
  }
  return $string;
}

 

It escapes elements like slashes and quotes. You don't need to do anything on the other side when you are taking the data out of the database.

rhodesa Newbie

rhodesa

Posted
Posted

you need to eval() it, this should work:

$content = 'This is a <?php echo "hello"; ?> world script';
eval('?>'.$content);

 

obviously this is a HUGE security risk. only let trust and knowledgeable people edit what $content is...

mananx Newbie

mananx

Posted
  • Author
Posted

Thanks for very quick reply..

 

I am sorry , it's using this function to put data into database .

 

if(isset($_POST['save']))

{

$page_name=$_REQUEST['show'];

$description=htmlentities( $_POST['elm1']);

$sql="UPDATE  pages SET description = '".$description."' WHERE page_name = '".$page_name."'";

 

$db->ExecuteQuery($sql);

header("location:index.php?show=".$page_name);

exit();

 

}

?>

 

Now what I would want is , that whenever it sees any <?php  ?> it should execute it as a code instead of html plain.

 

so should i do this ? clean_query($description) ; before calling db > executequery ?

 

mananx Newbie

mananx

Posted
  • Author
Posted

thanks for the reply rhodesa

 

I would want pages stored in database to have urls generated through php . So it'll have to be  done before putting data into database .

 

this is how urls are generated :

<a href = "<? php createurl(www.google.com); ?>" > visit google < /a >

 

where function would return google.com if session is set , otherwise it'll return url to  sign in page ( function takes care of this ) .

 

so will clean_query($description) ; serve the purpose ? 

rhodesa Newbie

rhodesa

Posted
Posted

ok...

 

<?php
if(isset($_POST['save']))
{
  $page_name = $_REQUEST['show'];
  ob_start();
  eval('?>'.$_POST['elm1']);
  $description = ob_get_clean();
  $sql="UPDATE  pages SET description = '".mysql_real_escape_string($description)."' WHERE page_name = '".mysql_real_escape_string($page_name)."'";
  $db->ExecuteQuery($sql);
  header("location:index.php?show=".$page_name);
  exit();
}         
?>

 

this is a HUGE security vulnerability though (allowing POSTed code to run in eval()). make sure this page is highly restricted

 

edit: for some reason, it is dropping a single quote. there is supposed to be one in the eval before the ?

mananx Newbie

mananx

Posted
  • Author
Posted

great

 

i  m trying to search through net for eval , but am still unable to understant what will ?> do

 

eval(?>'.$_POST['elm1']);

 

like for example

 

$_POST['eml'] = <html><head></head><body><a href = "<? php createurl(www.google.com); ?>" > visit google < /a > </body></html>

 

then what purpose would concatenating '?>' do ..

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.