Storing PHP in a database to then call it with a variable

[penguin0]

I am having a problem sending a small php code through a mysql database.  I am trying a simple echo command like <? echo "$usersname"; ?> inside of the html that is saved in my database.  I call the content for each page like this:

<?
$result = mysql_query( "SELECT content FROM pages WHERE number = 1" );
$num_rows = mysql_num_rows( $result );
while ( $a_row = mysql_fetch_row( $result ) ) {
   foreach ( $a_row as $field )
       print "$field";
}
?>

 

and above that I call all the users info like this:

$result = mysql_query( "SELECT * FROM users WHERE session = '$userssession'" );
$num_rows = mysql_num_rows( $result );

while ( $a_row = mysql_fetch_array( $result ) ) {
$usersid = $a_row['id'];
$usersname = $a_row['name'];
$usersposition = $a_row['position'];
$usersusername = $a_row['username'];
$usersemail = $a_row['email'];
$userscreated = $a_row['created'];
$usersidle = $a_row['idle'];
$online = $a_row['online'];
$admin = $a_row['admin'];
$pageman = $a_row['pageman'];
$userman = $a_row['userman'];
$rateman = $a_row['rateman'];
$menuman = $a_row['menuman'];
$users = $a_row['users'];

}

 

Is there something wrong with how I call the html ($content) or can this not be done?  When I hard code this <? echo "$usersname"; ?> into a php page it works.

 

 

[per1os]

www.php.net/eval

 

Be careful with that though, it can be dangerous.

[penguin0]

Is there a way to make it more secure?  This will only be used for people with page admin permissions, after they log in.

[per1os]

Not that I know of, it is hard to filter out "dangerous" code due to the fact that anyone can really exploit the code, say and admin gets mad at you he just has to write one that runs a query to delete all the databases etc. Or he runs one that uses the eval after fetching a script from the web that installs or something like that.

 

Just not good practice using that eval. Very very dangerous.

 

Now you could setup a system that does not allow that code to be ran unless reviewed by you. And also set it up to filter out mysql_query's and eval statements and include statements. But yea.

[penguin0]

ok,

 

I did this:

$sql = "SELECT content FROM pages WHERE number = 1";

$result = mysql_query($sql, $link) or die(mysql_error());
while ( $row = mysql_fetch_array( $result ) ) {
$pname = $row['name'];
$content = $row['content'];
}

eval("$content = \"$content';\");
echo $content;

well I am getting this error:

Parse error: syntax error, unexpected '<' in path/to/index.php(12) : eval()'d code on line 1

 

that is comming from the html i store in the db under $content

[per1os]

eval("$content = \"$content\";\");

[penguin0]

Actually what I used was

eval("$content = \"$content\";");

and I still get the error.  $content is HTML so there will be < and > in the tags, is that causing the problem?

[per1os]

eval('$content = \"' . $content . '\";');

 

Try that.

[penguin0]

now I get:

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in path/to/romac/index.php(12) : eval()'d code on line 1

 

Parse error: syntax error, unexpected T_STRING in path/to/domains/translucent-ro.com/public_html/romac/index.php(12) : eval()'d code on line 1

 

[per1os]

eval('$content = "' . $content . '";');

 

forgot with ' you do not need to escape "

[penguin0]

Parse error: syntax error, unexpected T_STRING in /path/to/index.php(12) : eval()'d code on line 1

 

[per1os]

What does $content contain?

[penguin0]

It's just HTML content, like tds, trs, and lots of "".

[per1os]

try this:

 

eval('$content = "' . addslashes($content) . '";');

 

To escape the lots of " "

[penguin0]

Ok that got rid of the error, but the php wont work:

 

to display the page:

$sql = "SELECT content, name FROM pages WHERE number = 1";
$result = mysql_query($sql, $link) or die(mysql_error());
while ( $row = mysql_fetch_array( $result ) ) {
$pname = $row['name'];
$content = $row['content'];
}

eval('$content = "' . addslashes($content) . '";');
echo $content;

The php I want to eval

<? echo "$pname"; ?>

[per1os]

I do not think eval's scope reachs out to the page running the eval.

 

IE if $pname is in $content you should probably do something like this:

 

<?php
$sql = "SELECT content,name FROM pages WHERE number = 1";
$result = mysql_query($sql, $link) or die(mysql_error());
while ( $row = mysql_fetch_array( $result ) ) {
$pname = $row['name'];
$content = $row['content'];
$content = str_replace('$pname', $pname, $content);
}

eval('$content = "' . addslashes($content) . '";');
echo $content;
?>

 

the code executed inside the eval is like doing it inside a function, inside the function all that is known to it are what has been defined in that scope.

 

I am not 100% sure that is why, but I am pretty sure. $pname was not defined in $content, there for it would just print nothing to the screen.

[penguin0]

The only problem doing it that way is, I wanted any php in $content to print, so I could have some variables (not many) come through with the html, so everything is not hard coded.

[penguin0]

I actually did that and it wont print:

 

$sql = "SELECT content, name FROM pages WHERE number = 1";

$result = mysql_query($sql, $link) or die(mysql_error());
while ( $row = mysql_fetch_array( $result ) ) {
$pname = $row['name'];
$content = $row['content'];
$content = str_replace('$pname', $pname, $content);
}

eval('$content = "' . addslashes($content) . '";');
echo $content;

[per1os]

Dunno man, I never worked with eval too much the best I can do is say read the user comments at www.php.net/eval  other than that it's like I said before, you are probably better off not using it and finding a different way.