Page 1 of 1
How to display PHP code from database to a webpage?
Posted: Tue Oct 18, 2005 1:09 pm
by ljCharlie
I have a created a a website that its content is stored on a MySQL database table. In the content field, I stored some php codes. The question is, how do I get this code from the database to execute when the page is loaded? Currently what happened is that the actual code will be displayed instead of the result when I echo the content field name from the database table.
Posted: Tue Oct 18, 2005 2:13 pm
by Charles256
look to the eval function in the php manual:)
Posted: Tue Oct 18, 2005 3:19 pm
by ljCharlie
Thank you so much. That is very helpful. I'll take a look and see what happens.
Posted: Tue Oct 18, 2005 3:28 pm
by Charles256
no problem. do realize you can't eval html and php code from the same field..makes PHP hate you..

Posted: Tue Oct 18, 2005 4:14 pm
by Jenk
There is probably a way to do this already, but I have just had a thought.. take the value from the DB, dump into a file, then include() the file.
Though like I say, there is probably a function that includes a variable in the same way include() includes files.
Posted: Tue Oct 18, 2005 10:49 pm
by jwalsh
No one has mentioned this yet, but be VERY CAREFUL when using eval(). You're just asking for attacks.
I've never seen a real use for stored procedures via MySQL in the Open Source environment.
Posted: Thu Oct 20, 2005 8:50 am
by ljCharlie
Thank you for all your suggestion. I just found out that I recieved some errors...and after reading this thread again, I realized that the reason I got the error is because I mixed html and php code in the same field. In addition, I should have the <?php and ?> in the field too, correct? So my best bet is to use include, correct? And when dumping into a file and using include, you are reffering to doing this on the fly, right? How do I dump the data into a file on the fly?
Posted: Thu Oct 20, 2005 8:55 am
by ljCharlie
jwalsh, can you explain or give examples of attacks by using eval() function?
Posted: Thu Oct 20, 2005 9:42 am
by ljCharlie
Is there any danger of giving my file, found.php, the permission to write a file into the hard drive?
Posted: Thu Oct 20, 2005 11:11 am
by Grim...
Any PHP code can be run in the eval() statement.
So if Timmy Naughty-Cracker figures out a way to pass his own stuff to your page with eval() on it, all he has to send is
Code: Select all
<?php
echo $database_username." ".$database_password;
if ($handle = fopen($filename, 'a')) {
fwrite($handle, $naughtyphp);
}
?>
and he's off

Posted: Thu Oct 20, 2005 11:20 am
by ljCharlie
Okay, here's what I have my eval setup as:
Code: Select all
if($row_rsMnuPic['php_mnu'] != NULL){
$phpCode = $row_rsMnuPic['php_mnu'];
eval($phpCode);
}
And currently the drive is not setup to have any write permission. Is this still vulnerable since the eval is setup in reading only data from database and not file. In addition, how does Timmy Naughty-Cracker pass his stuff into my page?