Jump to content

Problem with eval() -- I think....

PHPNewbie55

By PHPNewbie55
in PHP Coding Help

 Share

Recommended Posts

PHPNewbie55 Member

PHPNewbie55

Posted
Posted

I have broken this down step by step....

<?php
$col_keys = mysql_query("SELECT * FROM $mysqltbl");
while($csv_keys = mysql_fetch_field($col_keys)) {
if ($_POST["$csv_keys->name"] > ""){
$keys .= "'\$data[".($_POST["$csv_keys->name"])."]', ";
} else {
$keys .= "";
}

}
?>

 

The result of the above code if you include a print "$keys";

'$data[0]', '$data[1]', '$data[2]', '$data[3]', '$data[4]', '$data[8]', '$data[5]', '$data[6]', '$data[7]',

 

Now if I include the above code with another while loop...

<?php
$col_keys = mysql_query("SELECT * FROM $mysqltbl");
while($csv_keys = mysql_fetch_field($col_keys)) {
if ($_POST["$csv_keys->name"] > ""){
$keys .= "'\$data[".($_POST["$csv_keys->name"])."]', ";
} else {
$keys .= "";
}
}
   $feed = fopen($CSV_File, 'r');  
while ($data = fgetcsv ($feed, 10000, ",")) {
eval("\$keys = \"$keys\";");
mysql_query("INSERT INTO $mysqltbl (
$cols temp
) VALUES (
$keys 'temp'
)");
?>

 

If I leave the code the way it is it only inserts the first row of the CSV file -- for each record (20 times)

If I replace $keys with the actual data I want...

"'$data[0]', '$data[1]', '$data[2]', '$data[3]', '$data[4]', '$data[8]', '$data[5]', '$data[6]', '$data[7]',  "

 

It works fine...

 

But:::

The Correct Data (('$data[0]', '$data[1]', '$data[2]', '$data[3]', '$data[4]', '$data[8]', '$data[5]', '$data[6]', '$data[7]',  ))

 

Is the result of $keys... so what is the difference...??

 

Does it have to do with the eval("\$keys = \"$keys\";");

 

Link to comment
https://forums.phpfreaks.com/topic/82875-problem-with-eval-i-think/
Share on other sites
PHPNewbie55 Member

PHPNewbie55

Posted
  • Author
Posted

Yes..  what I am trying to do is grab the CSV column numbers ie. "$data[?]"

And map them to the MySQL Coumns...

 

It is pretty messy...  but I don't really know much about PHP... or any other language for that matter.. other than plain English..  LOL

 

It will work though as long as I can get the $keys correct....

PHPNewbie55 Member

PHPNewbie55

Posted
  • Author
Posted

what baffles me is this:::

 

If I replace $keys with this:::

'$data[0]', '$data[1]', '$data[2]', '$data[3]', '$data[4]', '$data[8]', '$data[5]', '$data[6]', '$data[7]',

It loops through each record of the CSV file and does the WHILE LOOP fine...

 

But with just $keys.. it loops through the CSV file and only inserts the first row for each record...

 

The eval($keys) thing shouldn't mess up the while loop should it...?

MadTechie Regular Member

MadTechie

Posted
Posted

what about somethingk like this

<?php
$col_keys = mysql_query("SELECT * FROM $mysqltbl");
$key = array();
$values = array();
while($csv_keys = mysql_fetch_field($col_keys))
{
if ($_POST["$csv_keys->name"] > "")
{
	$key[] = $_POST["$csv_keys->name"];
}
}
$keys = implode(",",$key);
$feed = fopen($CSV_File, 'r');  
while ($data = fgetcsv ($feed, 10000, ","))
{
$values = implode(",",$data);
mysql_query("INSERT INTO $mysqltbl (
$keys, temp
) VALUES (
$values, 'temp'
)");

}	
?>

 

 

How is eval() a security risk..?

 

;D Not being a smarty pants..  just curious...

 

Well your allowing any smarty pants to execute anything they want on your system just think they can unlink anyfile for example

 

 

redarrow Advanced Member

redarrow

Posted
Posted

Eval by its nature is always going to be a security concern. You taking a string from an external source and bringing it into your PHP script, you can think of attacks of this nature to being equivalent to SQL injection though they can generally cause a lot more damage ($GLOBALS generally contains your DB password and PHP has lots of filesystem functions). Now proper escaping and data cleaning should mitigate these risks but its easier to just avoid them whenever possible.

PHPNewbie55 Member

PHPNewbie55

Posted
  • Author
Posted

Well your allowing any smarty pants to execute anything they want on your system just think they can unlink anyfile for example

 

Always something you have to worry about...

 

 

Thanks for the example I'll go try that and let you know...

 

 

PHPNewbie55 Member

PHPNewbie55

Posted
  • Author
Posted

redarrow - thanks for the info..  I'll try to avoid using eval() at all.

 

MadTechie...

Nope that didn't work either...

 

 

It looks like I'll just have to start over tomorrow and see if I can clean this whole thing up and come up with a better way of doing it.

I have seen working examples of what I am "trying" to do so I know it's possible... just don't know how to do it properly yet...

Just lernin..  lol........

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.