How to display PHP code from database to a webpage?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ljCharlie
Forum Contributor
Posts: 289
Joined: Wed May 19, 2004 8:23 am

How to display PHP code from database to a webpage?

Post by ljCharlie »

I have a created a a website that its content is stored on a MySQL database table. In the content field, I stored some php codes. The question is, how do I get this code from the database to execute when the page is loaded? Currently what happened is that the actual code will be displayed instead of the result when I echo the content field name from the database table.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

look to the eval function in the php manual:)
ljCharlie
Forum Contributor
Posts: 289
Joined: Wed May 19, 2004 8:23 am

Post by ljCharlie »

Thank you so much. That is very helpful. I'll take a look and see what happens.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

no problem. do realize you can't eval html and php code from the same field..makes PHP hate you.. :-D
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

There is probably a way to do this already, but I have just had a thought.. take the value from the DB, dump into a file, then include() the file.

Though like I say, there is probably a function that includes a variable in the same way include() includes files.
User avatar
jwalsh
Forum Contributor
Posts: 202
Joined: Sat Jan 03, 2004 4:55 pm
Location: Cleveland, OH

Post by jwalsh »

No one has mentioned this yet, but be VERY CAREFUL when using eval(). You're just asking for attacks.

I've never seen a real use for stored procedures via MySQL in the Open Source environment.
ljCharlie
Forum Contributor
Posts: 289
Joined: Wed May 19, 2004 8:23 am

Post by ljCharlie »

Thank you for all your suggestion. I just found out that I recieved some errors...and after reading this thread again, I realized that the reason I got the error is because I mixed html and php code in the same field. In addition, I should have the <?php and ?> in the field too, correct? So my best bet is to use include, correct? And when dumping into a file and using include, you are reffering to doing this on the fly, right? How do I dump the data into a file on the fly?
ljCharlie
Forum Contributor
Posts: 289
Joined: Wed May 19, 2004 8:23 am

Post by ljCharlie »

jwalsh, can you explain or give examples of attacks by using eval() function?
ljCharlie
Forum Contributor
Posts: 289
Joined: Wed May 19, 2004 8:23 am

Post by ljCharlie »

Is there any danger of giving my file, found.php, the permission to write a file into the hard drive?
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Any PHP code can be run in the eval() statement.

So if Timmy Naughty-Cracker figures out a way to pass his own stuff to your page with eval() on it, all he has to send is

Code: Select all

<?php
echo $database_username." ".$database_password;
if ($handle = fopen($filename, 'a')) {
    fwrite($handle, $naughtyphp);
}
?>
and he's off :(
ljCharlie
Forum Contributor
Posts: 289
Joined: Wed May 19, 2004 8:23 am

Post by ljCharlie »

Okay, here's what I have my eval setup as:

Code: Select all

if($row_rsMnuPic['php_mnu'] != NULL){
		$phpCode = $row_rsMnuPic['php_mnu'];
		eval($phpCode);
		}
And currently the drive is not setup to have any write permission. Is this still vulnerable since the eval is setup in reading only data from database and not file. In addition, how does Timmy Naughty-Cracker pass his stuff into my page?
Post Reply