Page 1 of 1
Dynamic variables with dynamic values
Posted: Tue Sep 20, 2005 11:48 am
by rulonaes
Hi,
New on this forum and trying to make a php app.
I am trying to build functions using variables comming from a database and having values also comming from a database.
For defines I have it up and running but for variables I have not ...
I am retreiving 2 fields from database to be variable_name and variable_value
I would like to have something like
$var->$variable_name = $variable_value
this runs fine but I have a variable_value in the database having: date('Y-m-d H:i:s') and this is returned as a string however I would like to have the executed version to be for example 2005-09-20 06:44:10. I tried using eval but no luck so far. Can this be done? Do I mis some simple thing here? I am working with php for a while but still in beginner phase I gues.
Any help apriciated,
Ruud
Posted: Tue Sep 20, 2005 12:12 pm
by feyd
if you want to get the result from eval() you need to tell it to return..
Code: Select all
$something = 'date("Y-m-d");';
$result = eval('return '.$something);
however, using eval() is highly recommended to not be done. it's too easy to have coding errors, and security risks...
Posted: Tue Sep 20, 2005 12:27 pm
by rulonaes
Its like I said missing something simple
It did what I wanted thanks ...
But if it is not recommended can I do this in another way? Your reply did what I needed!
Posted: Tue Sep 20, 2005 12:30 pm
by John Cartwright
I would store Y-m-d H:i:s in the database instead of it along with the date function..
so you would be able to do
Code: Select all
$date = date($row[$dateformat],time());
Posted: Tue Sep 20, 2005 12:55 pm
by rulonaes
In my case it is not knowing what is in the database. I just have a database having variable_name and variable_value and togheter they do something in this case for example
$var->$db_var_name = $db_var_value could become
$var->date_added = date('Y-m-d') ; but it could also become
$var->date_name = 'db_field_name' ;
in this db_var_name is a comming from the database and db_var_value also. Hence I do not know what is in the variable_value. It could be a number, string or function call. The provided solution worked for all 3 cases.
My question now is this works, but if EVAL is not recomended what is the code to do the same not having the risk EVAL has!
Posted: Tue Sep 20, 2005 1:22 pm
by John Cartwright
Eval has its purpose, and this seems to work for it but you should design your application so your not calling blind variables.
I don't see why you should not know whether its a function call or a variable..
Posted: Tue Sep 20, 2005 1:59 pm
by rulonaes
I am writing sort of a aplication in which users can make up their own functions easy, defining variables easy without knowledge of programming .. so far i am pretty good on the way ... flexiblity on database, tables, columns, language etc ... so the part bugging me this moment was the function part ...
In this case i need the "blind" variables because i do not know what user is building!
Posted: Tue Sep 20, 2005 2:17 pm
by John Cartwright
This is going to be a huge risk on your part... your going to have to sanitize their input aswell as disable several PHP commands, such as system or they will literatly be able to comprimise your server.
Posted: Tue Sep 20, 2005 3:57 pm
by feyd
I'd suggest using the built-in tokenizer for php to parse their code before-hand, sanitizing it along the way... but even then, as Jcart said, it's a huge risk allowing such "flexibility"