I'm working moving our web site to where all the main content will be stored in a MySQL database. Currently only a handful of pages that call PHP functions which pull more data from the DB. So here is some example code that is on the current site...
We're developing a content management tool to more easily be able to update the web site. All PHP errors will be surpressed and pages will have an .htm file type but the server will process them as PHP. The end user will have no idea the pages are PHP generated. CMS is behind a fire wall.
what happens when a user puts unlink('some_really_important_file'); or something even worse into your editor? This is a security risk that I wouldn't go anywhere near.
The users are going to be myself and the senior webmaster, so we'll just be sure to NOT do that. But thanks.
Also, eventually if a user enters PHP code directly into the tool (<? unlink('file.php'); ?>) we will parse it out. Only certain functions from an available list will be allowed, not any arbitrary PHP, but that comes after I can execute PHP functions from the DB.