work_it_work Posted September 27, 2009 Share Posted September 27, 2009 here's what i want to do... i want to store php code in mysql field and then to select it by a query and execute it in php... $sql = "SELECT thing FROM " . DB_PREFIX . "things WHERE thing_id = ". $item_details['thing_id'] .""; $res = mysql_query($sql) or die(mysql_error()); $lcount = mysql_num_rows($res); $r = mysql_fetch_assoc($res); $thing = $r['thing']; in the db field i want so store something like this : <?=MSG_THING_ALARM;?> when i echo the $thing i must have the code from db executed i need it executed because it's a multi language website, and this row "<?=MSG_THING_ALARM;?>" looks in the language file and returns with the correct translation of the term the language file looks like this define ('MSG_THING_ALARM', 'Alarm'); waiting your suggestions thanks! Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/ Share on other sites More sharing options...
Alex Posted September 27, 2009 Share Posted September 27, 2009 It's possible, although in most cases it's not a good idea and there's an alternative solution. To execute a string as PHP anyway use eval() Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926069 Share on other sites More sharing options...
work_it_work Posted September 27, 2009 Author Share Posted September 27, 2009 why it's not a good idea? and what alternative to use? Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926070 Share on other sites More sharing options...
Alex Posted September 27, 2009 Share Posted September 27, 2009 It's often not a good idea because if just anyone can enter whatever they wish into the database it would be very easy for them to insert something maliciousness that could cause problems. If access to inserting things into the database that will be processed by eval() is limited and not public it would be fine, in that it probably won't cause any problems, just not necessarily a good practice. To give you a suggestion for an alternative I'd probably need to know more information. Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926073 Share on other sites More sharing options...
work_it_work Posted September 27, 2009 Author Share Posted September 27, 2009 i can;t use eval() because i must echo the row since is a loop and prints each $thing... i do understand it can be injected so i'm not going to use it in this case i am thinking to store the $thing names in different tables already translated, since is a 4 language website, and there are only 30 $thing names, there won't be a problem. thanks for your quickly reply! Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926078 Share on other sites More sharing options...
CarbonCopy Posted September 27, 2009 Share Posted September 27, 2009 Sure you can use eval. This works for me. $db_string_here = 'This is text that will be <?=FUNCTION_STUFF_WILL_BE_EXECUTED;?>'; eval('?>' . $db_string_here); This will output the text and execute the php Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926116 Share on other sites More sharing options...
work_it_work Posted September 27, 2009 Author Share Posted September 27, 2009 yep, it's working, thanks for the info! another thing... for example i only want to store "FUNCTION_STUFF_WILL_BE_EXECUTED" or FUNCTION_STUFF_WILL_BE_EXECUTED; in db... is it possible ? Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926121 Share on other sites More sharing options...
CarbonCopy Posted September 28, 2009 Share Posted September 28, 2009 You mean without the <?= and ?> tags? Well you could use preg_match to find all the functions and replace them with the <?= ?> versions. Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926146 Share on other sites More sharing options...
RussellReal Posted September 28, 2009 Share Posted September 28, 2009 if you're gonna use preg_match just create pseudo-variables %{NAME} and then just use str_replace("%{NAME}",$name,$text); and then POW you have inserted dynamic text into static database information without the regex redundancy and evaluating and all the hoopla Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926148 Share on other sites More sharing options...
CarbonCopy Posted September 28, 2009 Share Posted September 28, 2009 That is a good idea. Didn't even think of that Link to comment https://forums.phpfreaks.com/topic/175729-store-php-in-mysql-and-then-execute-it-is-thi-possible/#findComment-926330 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.