How to display PHP code from database to a webpage?
Moderator: General Moderators
How to display PHP code from database to a webpage?
I have a created a a website that its content is stored on a MySQL database table. In the content field, I stored some php codes. The question is, how do I get this code from the database to execute when the page is loaded? Currently what happened is that the actual code will be displayed instead of the result when I echo the content field name from the database table.
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
Thank you for all your suggestion. I just found out that I recieved some errors...and after reading this thread again, I realized that the reason I got the error is because I mixed html and php code in the same field. In addition, I should have the <?php and ?> in the field too, correct? So my best bet is to use include, correct? And when dumping into a file and using include, you are reffering to doing this on the fly, right? How do I dump the data into a file on the fly?
Any PHP code can be run in the eval() statement.
So if Timmy Naughty-Cracker figures out a way to pass his own stuff to your page with eval() on it, all he has to send is and he's off 
So if Timmy Naughty-Cracker figures out a way to pass his own stuff to your page with eval() on it, all he has to send is
Code: Select all
<?php
echo $database_username." ".$database_password;
if ($handle = fopen($filename, 'a')) {
fwrite($handle, $naughtyphp);
}
?>Okay, here's what I have my eval setup as:
And currently the drive is not setup to have any write permission. Is this still vulnerable since the eval is setup in reading only data from database and not file. In addition, how does Timmy Naughty-Cracker pass his stuff into my page?
Code: Select all
if($row_rsMnuPic['php_mnu'] != NULL){
$phpCode = $row_rsMnuPic['php_mnu'];
eval($phpCode);
}