custom php in cms

[Royalmike]

I am currently building my own cms and I need some advice.

 

What would be the best way to implement the abilty for users to add custom php scripts to some of the pages in the cms?

 

When I first started this cms I was just storing all the custom php written by the user in the database and then just eval()'ing it out to display it. Then I came up with a new idea because I thought that storing large amounts of php in a database was a bad idea.

 

When the user creates the page, they choose if that page is going to have custom php on it or not. If it is, then when they add the content it gets saved to a physical file on the server. Then when displaying the page, the contents of the file is loaded instead of pulling from the database.

 

Which way is better or does anyone else have any other ideas how to implement this feature?

[xyph]

Allowing users to upload PHP is insanely dangerous.

 

Pretty much any sort of user-defined call to eval() is.

 

That aside, I'd use the flat file method. Store the php files outside of the web root, so it can't be accessed directly. This allows you to include() rather than eval().