Database and php question

[11Tami]

Hello, can php code execute in a database before it appears on a page?

For example the following code usually shows the current time. If this gets pulled from the database with query select and a timer will the current date appear still? I can't test it I'm away from a database for awhile. Please let me know, thank you very much.

 

<?php

$string = "echo date('h:i:s');";

eval($string);

?>

[mmarif4u]

U want to appear two different things, Yes its possible if i am getting u right.

 

but u have to change the variable names.

[chronister]

From the PHP manual page on eval();

Evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution.

 

 

So I would say the answer is yes

[benjaminbeazy]

be very careful with this...

[neel_basu]

using eval() has some security Risks .

[11Tami]

Thanks, I went over to my girlfriends house who has a my sql server database and tried putting php in a database to see what would happen.

I pulled it back out on the page with a select query. Normally working php that works when you put it on a regular php page, and nothing happened. Even though the code is exactly the same and looks exactly the same in the source code nothing happened at all. I even tried clicking on refresh to see if that would launch or update the php. Nothing still happened. I tried several different working php codes. So does anyone know of a way that php works coming from a database? I'm trying to understand this better because I thought I read in several places where individuals where using php in their database fields. Please let me know, thank  you.

[chronister]

I tested it and it works just fine, with the exception of some spacing issues.

 

Here is the sql dump for the test table I made.

 

CREATE TABLE `test` (
  `id` int(2) NOT NULL auto_increment,
  `code` varchar(255) collate latin1_general_ci default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci AUTO_INCREMENT=3 ;

INSERT INTO `test` (`id`, `code`) VALUES 
(1, 'echo ''Hello'';'),
(2, '$r=array(''blue'',''green'',''red'',''yellow'',''fuschia''); print_r($r);');

 

Here is the code I used to get the results.

<?php
connectdb();
$q="SELECT * FROM test";
$result=mysql_query($q);

	while($row=mysql_fetch_object($result))
	{
		eval($row->code);

	?><br /><br /> <!--This was necessry to force a space between the items. --><?php 
	}
?>

 

 

Here is the output, I had to wrap it in code tags to preserve key 0 in the array as it was showing up as o

Hello

Array ( [0] => blue [1] => green [2] => red [3] => yellow [4] => fuschia ) 

 

[11Tami]

I'm not sure what that is. I was trying to see if we can pull php from a database and have it still work.

 

So outside of a my sql server database this works fine. But pulled from a database field it no longer works.

<?php

$string = "echo date('h:i:s');";

eval($string);

?>

 

Wanted to know if normally working php code can also work when coming from a database?

 

[chronister]

Are you storing the

<?php ?>

tags with it? I have found that this does not work.

 

I believe you have to use eval() with the data pulled from the database. Look at my example. I am using eval with $row->code and I am storing the code as

$variable="some value";

 

I may be wrong, but it don't look like your using eval() correctly.

 

 

[11Tami]

I appreciate the help, yes I was including the php tags with it, I'll try it without. Regarding the eval, looks like your using eval outside of the database? But you think eval is needed in order for the php to code properly? Thanks.

[chronister]

If you use the

<?php ?>

tags inside the database, you end up with

<?php 
some code here
some more code here
<?php
   code pulled from database
   some more code from database
?>

more code 
more code

?>

 

As you can imagine, This will not work.

 

 

Yes, you have to use eval() outside of the database.

 

It is to be used on the code your pulling from the database. In my test code I posted earlier, when I did not use eval, the code itself was printed on screen the exact way it was pulled from the database.

 

Instead of the echo 'Hello'; code actually printing the word Hello on the screen it printed

echo 'Hello';

 

Same with the array. Without eval() it printed

 

$r=array('blue','green','red','yellow','fuschia'); print_r($r);

 

on the screen rather than

Array ( [0] => blue [1] => green [2] => red [3] => yellow [4] => fuschia ) 

 

 

It was not until I used eval on the data I extracted from the db that it parsed the code and echo'd what it was supposed to. Without eval, the code is displayed as code, and with eval, it is parsed as PHP

[11Tami]

Great help~! Thanks a lot, seems everything new we try has some certain trick to it to get it to work. At least now I'll know what to try. Thanks for the great explanations that make a lot of sense.