Page 1 of 1

Output PHP from MySQL Database

Posted: Mon Aug 06, 2007 2:32 pm
by the9ulaire
I simply want to out put a PHP code stored in the database into my page. I've tried:

Code: Select all

$sql = "SELECT page_id, page_name, page_desc, page_content " .
			"FROM pages WHERE page_id=" . $_GET['p'];
	$result = mysql_query($sql, $conn);
	$row = mysql_fetch_array($result);
	$page_content = $row['page_content'];
	eval($page_content);
I am trying to output:

Code: Select all

$sql = "SELECT * FROM calendar ORDER BY date";
$result = mysql_query($sql, $conn);

	echo "<table border=\"0\" cellpadding=\"2\" id=\"calendar_table\">";
	echo "<tr id=\"table_header\">";
	echo "<td width=\"100px\">Date</td>";
	echo "<td width=\"200px\">Location</td>";
	echo "<td width=\"60px\">Time</td>";
	echo "<td width=\"300px\">Description</td>";
	echo "</tr>";
while ($row = mysql_fetch_array($result)) {
	echo "<tr class=\"table_row\">";
	echo "<td width=\"100px\">" . $row['date'] . "</td>";
	echo "<td width=\"200px\">" . $row['location'] . "</td>";
	echo "<td width=\"60px\">" . $row['time'] . "</td>";
	echo "<td width=\"300px\">" . $row['details'] . "</td>";
	echo "</tr>";
}
	echo "</table>";
But all it does is show that code as plain text. How can I fix this so that processes the php?

Thanks in advance!
Luke

Posted: Mon Aug 06, 2007 2:48 pm
by TheMoose
I'd advise against it, but you can use PHP's eval() function.

Posted: Mon Aug 06, 2007 2:54 pm
by the9ulaire
TheMoose wrote:I'd advise against it, but you can use PHP's eval() function.
May I ask why?

Posted: Mon Aug 06, 2007 3:14 pm
by TheMoose
You have to take extra time to escape any special PHP character (such as the $ to designate variables) and double quotes so that it doesn't assume it's breaking the string. That's extra time spent just formatting the code without actually taking into account the execution time. Hard coded doesn't have to deal with formatting and execution, just execution.

It's more of a performance advisory, than anything else. If you allow custom code to be executed, then you're getting into a security risk.

Posted: Mon Aug 06, 2007 3:19 pm
by feyd
Unless you know exactly what you're doing and why, eval() is a very dangerous function. Avoid it at all costs.

Posted: Mon Aug 06, 2007 3:52 pm
by AKA Panama Jack
As people have mentioned storing PHP code in a database and then EVALing it is just plain damned SLOW plus there are many security issues pertaining to someone modifying the database. Also maintaining the code that is stored in a database is more difficult than maintining it stored as files on a drive.

I tried this in the past and it was many, many, MANY times slower to execute PHP code from a database than just loading it from disk using an include.

Anyone that stores PHP code, teamplate data, etc. in a database for parsing later is just asking for trouble because it is SLOW and INSECURE.

Posted: Mon Aug 06, 2007 4:42 pm
by s.dot
Anyhoots, your eval() has to be a complete statement.

Code: Select all

eval("echo \$page_content;");
Something like that.

Posted: Tue Aug 07, 2007 2:37 pm
by the9ulaire
Thanks guys! I appreciate your advice! Since I'm so new to this, I'm still unaware of many risks. I will be hard coding my page.

Thanks again!
Luke