Page 1 of 1

Display php results from mysql field?

Posted: Tue Feb 15, 2011 3:16 am
by weismana81
Well, that subject probably made no sense which would explain why I haven't had much luck googling this. I'm working on a dynamic site where each page is a record in a mysql database. My problem is, I would like to create a news interface for the user without having to create a separate news.php file. Is it possible to put php into the "content" field of a record. I'm just trying ... <?php echo "test"; ?> and I can't get that to work.

Any help is much appreciated!!

Re: Display php results from mysql field?

Posted: Tue Feb 15, 2011 5:11 am
by ganesh_dabhade
Describe ur problem in details with example to get more help...

Re: Display php results from mysql field?

Posted: Tue Feb 15, 2011 10:33 am
by social_experiment
Post some code...

Re: Display php results from mysql field?

Posted: Tue Feb 15, 2011 11:10 am
by pburgh
Sounds like you're trying to put PHP code in a row in your mySQL table. If that's the case, I wouldn't recommend it. :) I'm not sure what you're trying to accomplish, but you're going about it the wrong way (most likely).

Re: Display php results from mysql field?

Posted: Tue Feb 15, 2011 3:07 pm
by weismana81
Well there's two pages. Index.php's main content looks like this.

Code: Select all

  <div class="center_col">
		  <?php
		  	  $page_id=$_GET['page_id'];
			  $result = mysql_query("SELECT * FROM sb_pages WHERE page_id = $page_id");
			  while ($row = mysql_fetch_array($result))
				  {
				  echo $row['page_title'];
				  echo "<hr/>";				 
				  echo $row['page_content'];
				  echo "<br/><br/>";
				  echo $row['page_admin_content'];
				  }
			  
			  ?>  
  </div>  
And update.php has this in it.

Code: Select all

<fieldset><legend><a href="javascript:unhide('AdminContent');">Admin Content (Advanced use only)</a></legend>
<div id="AdminContent" class="hidden">
<textarea style="height: 300px; width: 800px;" name="page_admin_content" id="page_admin_content" cols="45" rows="5"><? echo $row['page_admin_content']; ?></textarea>
</div>
</fieldset>
The thing is, this site is for a church, and it looks like there have been several people working on it over the years and it has become a bit of a monster. I'm trying to switch them over to a dynamic site so they have a little more control over everything. I'm also trying to keep the "back end" as clean and simple as possible so down the road, it's easier for the next developer to understand what's going on. I added the page_admin_content field so a developer (or even an advanced user) could add some advanced elements (i.e. javascript etc..) to a page without making the user's page_content area confusing for the user. I hope that's not completely stupid. This is the first dynamic site I've made and I guess this is just one of those things... I'm not worried about the issues I can predict, I'm worried about the issues I can't predict.

Anyway, now I'm trying to add php in that page_admin_content area. pburgh is right about what I'm trying to do. I guess my question is, why is it not recommended? If it's a security thing, could I ignore that since it's a few people at church that will have access to the admin pages, or is that reckless.

Thanks so much for the replies!!!

Re: Display php results from mysql field?

Posted: Tue Feb 15, 2011 6:26 pm
by social_experiment
weismana81 wrote:Is it possible to put php into the "content" field of a record. I'm just trying ... <?php echo "test"; ?> and I can't get that to work.
That's simple enough, replace the < and > tags with < and > respectively. You can create a custom function or use htmlentities to display the data containing the code.
weismana81 wrote:Anyway, now I'm trying to add php in that page_admin_content area. pburgh is right about what I'm trying to do. I guess my question is, why is it not recommended? If it's a security thing, could I ignore that since it's a few people at church that will have access to the admin pages, or is that reckless.
It's not really NOT recommended but the problem comes in if you don't make sure the php code cannot be parsed. Let's say you have something like your example and the database value hasn't been sanitized, somewhere on your page it will echo "test".

The php code is parsed as php, because the server recognizes the <?php and ?> tags and executes any code inbetween.

If you sanitize value from the database, you remove the special meaning that < and > has, and now when the page is displayed the server doesn't see php tags and the 'code' is displayed as 'text'. You could also use <code></code> tags to wrap the value in if the above explanation doesn't make sense.

Re: Display php results from mysql field?

Posted: Tue Feb 15, 2011 10:01 pm
by weismana81
I don't understand exactly how to sanitize the value, but I will look into that.
It's not really NOT recommended but the problem comes in if you don't make sure the php code cannot be parsed. Let's say you have something like your example and the database value hasn't been sanitized, somewhere on your page it will echo "test".
I think this is what I'm going for. I don't want the page to display the code, I want the page to run (or I guess "parse" the code. So if the database value is <?php echo "test"; ?>, I want it to display "test". So maybe it is currently being sanitized and I need to figure out how to keep it from being sanitized...?

Thanks again!

Re: Display php results from mysql field?

Posted: Wed Feb 16, 2011 12:49 am
by social_experiment
weismana81 wrote:I think this is what I'm going for. I don't want the page to display the code, I want the page to run (or I guess "parse" the code. So if the database value is <?php echo "test"; ?>, I want it to display "test". So maybe it is currently being sanitized and I need to figure out how to keep it from being sanitized...?
Is is related to the segment of code below?

Code: Select all

<textarea style="height: 300px; width: 800px;" name="page_admin_content" id="page_admin_content" cols="45" rows="5"><? echo $row['page_admin_content']; ?></textarea>
</div>
If you want to run (yip, run is also correct :) ) it, simply place the code on the page. Unless you have a custom function that does the sanitizing (let's say when you enter the data into the database) there isn't a automatic option that does this for you. Automatically adding slashes and escaping yes, but not sanitizing the code in this manner.

Re: Display php results from mysql field?

Posted: Wed Feb 16, 2011 2:45 am
by weismana81
Well, most of my code seems relatively simple and straight forward, and I don't think I have anything in there that would do that (sanitize that is). Plus, I can get javascript working in this field which leads me to believe that it is working like I'd like it to. I guess I just need to keep digging. Thank you so much for all the help though!! This forum is great!!