Inserting php in a mysql table?

[drisate]

I was wandering if it's possible to insert php code into a mysql table and retreave it later to execute it ...

[suttercain]

yes

[drisate]

Really ... intresting. I am making a header foother add-on for my board and this couls be great :-)

so how would you do it?

 

i have the <textarea name=\"header\" rows=\"28\" cols=\"74\">".htmlspecialchars_decode($header)."</textarea>

 

iserted into

 

$hf=mysql_query("UPDATE $dbprefix"."_header_foother SET header='".htmlspecialchars($_POST['header'])."', foother='".htmlspecialchars($_POST['foother'])."'", $db) or die ('OUPS >.< : '.mysql_error());

 

and to retreave it i use

 

if (!function_exists("htmlspecialchars_decode")) {

    function htmlspecialchars_decode($string, $quote_style = ENT_COMPAT) {

        return strtr($string, array_flip(get_html_translation_table(HTML_SPECIALCHARS, $quote_style)));

    }

}

 

$hf=mysql_query("SELECT * FROM $dbprefix"."_header_foother", $db);

while ($hf_info=mysql_fetch_array($hf)){

$header_info = htmlspecialchars_decode($hf_info['header']);

}

 

if(stristr($_SERVER[php_SELF].$_SERVER[QUERY_STRING], '/fr/') === FALSE) {$lang="EN";}else{$lang="FR";}

 

if ($style[name]=="gray/blue"){$style[name]="gray-blue";}

$styled_logo = "flash/vbb_logo_".$style['name'].".swf";

 

$header_info = str_replace("[FLASH-LOGO]", $swf, $header_info);

echo $header_info;

 

How can you insert php with out having it executed in plain text?

[suttercain]

See eval()

 

http://us3.php.net/manual/en/function.eval.php

[aschk]

My advice is not to go down this road.

Code belongs in files.

Data/information belongs in databases.

[drisate]

I don't think i can adapt eval for this anyway ...

eval seams to work only when you know the data

 

$string = 'cup';

$name = 'coffee';

$str = 'This is a $string with my $name in it.';

echo $str. "\n";

eval("\$str = \"$str\";");

echo $str. "\n";

 

but in this case i have no idea what they can type ...

[ php ]include("whatever.php");[ /php ]