executing PHP within user-supplied content

[moagrius]

i'm creating a small app for someone who wants to control the content of each page from a DB.

 

effectively it'd be a template file with header, footer, etc all pre-built, and the content area supplied from a TEXT field in a MySQL table - basically the same idea wordpress uses.

 

this is all fine, but a couple pages would require some php - e.g., a list of events or users or articles, whatever, that are managed in different tables.

 

i can do this with eval - something like:

 

function render_content($string) {
ob_start();
eval("?>$string<?php ");
$returns = ob_get_contents();
ob_end_clean();
return $returns;
}

 

but i wonder if there's a better way.  i can probably limit whatever code needs to be executed in include files, so i thought maybe include some arbitrary tag and use regexp to parse it out...  maybe modeled after a conditional comment, e.g.,

 

<!--[include]some-file.inc.php-->
// or even...
<include>some-file.inc.php</include>

 

but, again, not thrilled with the approach, and wondered if anyone had a better idea.

 

i should probably mention that it's not going to be a "content or include" setup - it probably won't be one or the other, exclusively, and is likely to be a mix on those pages that require it - the php might need to appear before, after, or in the middle of whatever arbitrary markup the user happens to supply, e.g.

 

<h1>This is a list of stuff</h1>
<p>Some explanation lorem ipsum dolor sit ahmet.</p>
<?php include('some-file.inc.php'); ?>
<em>But this caveat applies to the above list.</em>
<div>
  Something totally unrelated.
  <img src="pic.jpg" />
</div>

 

not sure I explained that very well, but hopefully the concept comes across.

 

TYIA