Page 1 of 1

HTML and PHP data stored in DB, how to execute the PHP?

Posted: Mon Sep 25, 2006 5:47 pm
by JackTheTripper
I'm working moving our web site to where all the main content will be stored in a MySQL database. Currently only a handful of pages that call PHP functions which pull more data from the DB. So here is some example code that is on the current site...


Code: Select all

<p>Here is our address:<br>
<? printAddress('headquarters'); ?></p>
when I put that into the DB it literally prints the whole thing rather than running the function 'printAddress()'

Is there a way using PHP or a MySQL command to execute the php code rather than printing it to the page literally?

Thanks in advance.

Posted: Mon Sep 25, 2006 5:56 pm
by hawleyjr
Out of curiosity, why would you want to do this? Seems like a huge security risk to me...just my $0.02

Posted: Mon Sep 25, 2006 6:24 pm
by JackTheTripper
We're developing a content management tool to more easily be able to update the web site. All PHP errors will be surpressed and pages will have an .htm file type but the server will process them as PHP. The end user will have no idea the pages are PHP generated. CMS is behind a fire wall.

Posted: Mon Sep 25, 2006 6:27 pm
by Luke
what happens when a user puts unlink('some_really_important_file'); or something even worse into your editor? This is a security risk that I wouldn't go anywhere near.

Posted: Mon Sep 25, 2006 6:41 pm
by JackTheTripper
The users are going to be myself and the senior webmaster, so we'll just be sure to NOT do that. But thanks. ;)

Also, eventually if a user enters PHP code directly into the tool (<? unlink('file.php'); ?>) we will parse it out. Only certain functions from an available list will be allowed, not any arbitrary PHP, but that comes after I can execute PHP functions from the DB.

Posted: Mon Sep 25, 2006 8:32 pm
by HCBen
I think the eval function is what your looking for: http://us3.php.net/manual/en/function.eval.php