Execute PHP code in record

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tman
Forum Newbie
Posts: 6
Joined: Wed Mar 29, 2006 8:02 am

Execute PHP code in record

Post by tman »

Hello, I am tring to insert a record into a database using MYSQL and php. In the record, I want PHP code to be able to execute. Here is what I have:

mysql_query("INSERT into testtabe (name, about, code, expires, skew) VALUES ('BLOWOUT Sale!', 'Receive Money off top name <a href=http://www.xxx-test.com/php/test.asp?b=1&a='<? echo $bid ?>'&Task=Click>shirts</a> and sweaters.', 'N/A', 'Unknown', '')");

Here is the problem, that when the page is displaying the record (at the top, we are delaring $bid variable. However if we simply write $bid into the URL then it will not show the PHP code and only list as $bid. However, when I list it as above, it seems to break because of the "?". I am not familiar with PHP code so I am not sure if I am missing a parenthisis of apostorphe or something to be able to hardcode the PHP directly into the record. I seem to be able to do this with no problem using ASP however I cant seem to do it using PHP. ANy help would be greatly appreciated.
Thanks!
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Code: Select all

mysql_query("INSERT into testtabe (name, about, code, expires, skew) VALUES ('BLOWOUT Sale!', 'Receive Money off top name <a href=http://www.xxx-test.com/php/test.asp?b=1&a='".$bid."'&Task=Click>shirts</a> and sweaters.', 'N/A', 'Unknown', '')");
should do it
tman
Forum Newbie
Posts: 6
Joined: Wed Mar 29, 2006 8:02 am

yes, but...

Post by tman »

The problem is that the page that displays the record contains the $bid variable. The page that inserts the record does not contain the $bid variable, which is why I need to actually put the PHP in the database record and not the "executed" PHP in the record. Hopefully this makes more sense.
Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

storing code to be run in the database can often lead to headaches. I'd suggest storing a string you can easily replace when you pull the string out in the "display" page. {BID} springs to mind.
tman
Forum Newbie
Posts: 6
Joined: Wed Mar 29, 2006 8:02 am

I know

Post by tman »

I have no other choice because I do not actually have access to the pages that the code displays on and there are over 700 pages, so I can not go in and update each one. Is there no way? I know with classic ASP it can be done, but again I am new to PHP so I am not really sure.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you would likely need to modify the pages no matter if you stored PHP code or not in the string. PHP will not know to parse the string as code automatically.
tman
Forum Newbie
Posts: 6
Joined: Wed Mar 29, 2006 8:02 am

I guess I dont understand.

Post by tman »

In ASP I could do this:

SQL = "INSERT into tblTest (field A, field B, feild C) VALUES ('test', 'testing 2', '<a href=test.asp?id=<%=globalvariable%>click here</a>')"
objConn.Execute(SQL)

Could I not do something like this in PHP? When I try something like this:

mysql_query("INSERT into tblTest(field A, field B, field C) VALUES ('test', 'testing 2', '<a href=test.php?id=<? echo $aid. ?>>click here</a>')");

When I run the PHP code it seems to break at the <? brackets...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the only way to run the stored code is to use eval(), which is very rarely recommended. You will have to alter the value stored, or string sent to eval() to actually be inline PHP.
tman
Forum Newbie
Posts: 6
Joined: Wed Mar 29, 2006 8:02 am

So...

Post by tman »

Basically your telling me there is no way to do this? I kind of find that hard to believe. I guess I really dont understand either because PHP is a server based language executed before the output to the browser. I need to find a way to do this because like you said I will have to update the pages, but the problem is that I can not. I literally do not have access to these pages and can never get acess. I need to be able to run my PHP code through a record they are displaying. The only thing I have access to is the database that powers there pages, but I do not and can not get access to the actual pages themselves. therefore since I only have access to the database, I have no other choice but to put the PHP code in the actual database record. Unless you can think of a better way.

Thanks again for all your help!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you don't have access to the data needed, there's no way around it. Yes, PHP is a server side language. That does not mean that code stored as a string will be processed because there is no way for PHP to know it is code that should be processed.

Maybe if we knew more about the system and how it worked we would have a better suggestion, but because of the inflexibility you've got, we can't offer much of anything.
User avatar
ed209
Forum Contributor
Posts: 153
Joined: Thu May 12, 2005 5:06 am
Location: UK

Post by ed209 »

As has already been mentioned in this post, eval() could do what you ask. However, eval() comes with some serious security risks. I guess these forums are about sharing information so in the spirit of that the following works but I would NOT recommend using it.

Code: Select all

$bid = 100;
$a_value_from_database = "Receive Money off top name <a href=http://www.xxx-test.com/php/test.asp?b=1&a='<?php echo $bid ?>'&Task=Click>shirts</a> and sweaters.";

echo eval('?>' . $a_value_from_database . '<?php ');

/* outputs:

Receive Money off top name <a href=http://www.xxx-test.com/php/test.asp?b=1&a='100'&Task=Click>shirts</a> and sweaters. 

*/
This could be of use to find out more about the eval() function http://en.wikipedia.org/wiki/Eval
tman
Forum Newbie
Posts: 6
Joined: Wed Mar 29, 2006 8:02 am

Maybe

Post by tman »

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I am not being clear enough.  What I am looking to do I think is simple or at least should be...

Imaging I have a customer who has a PHP website and runs PHP pages.  I do not have access to their PHP pages therefore am unable to put actual PHP code on the page itself, I do have access to the customers database.

Now, having said that, I need to access a variable on that page that is hardcoded on that PHP page, however I could not "hard-code" any PHP on that page to get access to that variable, so since I only have access to the database and the out put of records, can I somehow get access to the variable?  Thus my reason for storing PHP in a database record.

So say someone has a PHP page and the page has the following:

Code: Select all

<?
//Customers ID Number
$cid="123";

// Get Current Deals & Specials Below
$result = mysql_query("select * from coupons") or die (mysql_error()); while ($row = mysql_fetch_array($result))
{
echo "
<b>$row[name]</b><br>
$row[about]<br>
<b>Code:</b> $row

Code: Select all

<br>
<b>Expires:</b> $row[expires]<br>
";
}
mysql_free_result($result);
?>
Now I do not have access to this PHP page, only to the database that displays records on this page. And in my output of records, I need to be able to create a link with the customers ID (cid) in the queryString in the expired field. So if I thought I could store something in the actual database like such:

mysql_query("INSERT into coupons (name, about, code, expires) VALUES ('BLOWOUT Sale!', 'Receive money off top name <a href=http://www.test.com/test.php?customerID=<script language=php>echo $cid</script>>shirtrs</a>.', 'N/A', 'Unknown')");


Does this help?


feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's the same situation I've already been talking about. It is not possible for PHP to know that the string stored in the database should be executed over any other string. So php will, like it should, output the string literally, no parsing of any nature will happen to it.

Since you do not have access to the scripts involved, there is nothing you can really do. The only options you have is adding more scripts to the server that will post process the output generated by their pages injecting where needed the variables. That not only is a huge undertaking, it is so easily screwed up I can't recommend it.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

tman wrote:Imaging I have a customer who has a PHP website and runs PHP pages. I do not have access to their PHP pages therefore am unable to put actual PHP code on the page itself, I do have access to the customers database.
The data that is in the db is string data. That means that when it is returned in the fetch array for display, the data is displayed as a string (php characters and all). If there is executable code in the string, it will still be considered a string and will not parse as PHP unless being told to do so (using eval(), which is not recommended, and in your case, impossible since you don't have access to the PHP scripts themselves).

Given your circumstance, there is no way for your to execute PHP code on the site you are trying to do this with because the current scripts are probably not expecting PHP code to come from the database. I know this is probably not the answer you want, but unfortunately that is the way it is. It is a good thing too. Imagine if some malicious coder decided to install funky PHP code and the site your stuff is hosted on got compromised. That would be a mess.
Post Reply