store php in mysql and then execute it? is thi possible?

[work_it_work]

here's what i want to do...

i want to store php code in mysql field and then to select it by a query and execute it in php...

 

$sql = "SELECT thing FROM " . DB_PREFIX . "things WHERE thing_id = ". $item_details['thing_id'] ."";
$res = mysql_query($sql) or die(mysql_error());
$lcount = mysql_num_rows($res);
$r = mysql_fetch_assoc($res);
$thing = $r['thing'];

in the db field i want so store something like this :

<?=MSG_THING_ALARM;?>

 

when i echo the $thing i must have the code from db executed

i need it executed because it's a multi language website, and this row "<?=MSG_THING_ALARM;?>" looks in the language file and returns with the correct translation of the term

the language file looks like this

define ('MSG_THING_ALARM', 'Alarm');

 

waiting your suggestions

thanks!

[Alex]

It's possible, although in most cases it's not a good idea and there's an alternative solution. To execute a string as PHP anyway use eval()

[work_it_work]

why it's not a good idea? and what alternative to use?

[Alex]

It's often not a good idea because if just anyone can enter whatever they wish into the database it would be very easy for them to insert something maliciousness that could cause problems.

 

If access to inserting things into the database that will be processed by eval() is limited and not public it would be fine, in that it probably won't cause any problems, just not necessarily a good practice.

 

To give you a suggestion for an alternative I'd probably need to know more information.

[work_it_work]

i can;t use eval() because i must echo the row since is a loop and prints each $thing...

i do understand it can be injected so i'm not going to use it in this case

i am thinking to store the $thing names in different tables already translated, since is a 4 language website, and there are only 30 $thing names, there won't be a problem.

thanks for your quickly reply!

[CarbonCopy]

Sure you can use eval. This works for me.

 

$db_string_here = 'This is text that will be <?=FUNCTION_STUFF_WILL_BE_EXECUTED;?>';
eval('?>' . $db_string_here);

 

This will output the text and execute the php

[work_it_work]

yep, it's working, thanks for the info!

another thing...

for example i only want to store "FUNCTION_STUFF_WILL_BE_EXECUTED" or FUNCTION_STUFF_WILL_BE_EXECUTED; in db...

is it possible ?

[CarbonCopy]

You mean without the <?= and ?> tags? Well you could use preg_match to find all the functions and replace them with the <?= ?> versions.

[RussellReal]

if you're gonna use preg_match just create pseudo-variables %{NAME} and then just use str_replace("%{NAME}",$name,$text); and then POW you have inserted dynamic text into static database information without the regex redundancy and evaluating and all the hoopla

[CarbonCopy]

That is a good idea. Didn't even think of that