Page 1 of 1
Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 8:49 am
by rhecker
I want to safely store PHP and HTML in MySQL, then use eval() to the run the code when it's called from the database.
To accomplish this, I used mysql_real_escape_string and htmlspecialchars on data going into the database, then htmlspecialchars_decode and stripslashes on the data coming out, before using eval()
The problem I have encountered is that carriage returns and new lines get converted to \r and \n going in, but coming out, the slashes are stripped, leaving the r's and n's as text.
I must be approaching this the wrong way. Can someone point me in the right direction?
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 9:04 am
by Eran
I must be approaching this the wrong way
Probably - there is almost never a good reason to store PHP code in a database and run it with eval().
If you could explain your requirements, maybe someone could offer a better solution. Why aren't you using include() / require() to include scripts?
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 10:41 am
by AbraCadaver
rhecker wrote:I want to safely store PHP and HTML in MySQL, then use eval() to the run the code when it's called from the database.
To accomplish this, I used mysql_real_escape_string and htmlspecialchars on data going into the database, then htmlspecialchars_decode and stripslashes on the data coming out, before using eval()
The problem I have encountered is that carriage returns and new lines get converted to \r and \n going in, but coming out, the slashes are stripped, leaving the r's and n's as text.
I must be approaching this the wrong way. Can someone point me in the right direction?
Don't use stripslashes() coming out.
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 11:07 am
by rhecker
Not using stripslashes coming out leaves the slashes in, so that's not a solution.
I wonder what the argument is against using eval(). I realize the code could be put in includes.
Here's the code for my little test app.
Code: Select all
if ($_POST['start']){
foreach ($_POST as $k=>$v){
$v = htmlspecialchars($v);
$v = mysql_real_escape_string($v);
$_POST[$k] = $v;
}
extract ($_POST);
$start2= $start;
$start3 = htmlspecialchars_decode($start);
$start3=stripslashes($start3);
}?>
<form action="#" method="post">
<p>Start<br/>
<textarea name="start" cols="30" rows="5"></textarea></p>
<p>No cleanup<br/>
<textarea name="2" cols="30" rows="5"><? echo $start2 ?></textarea></p>
<p><?php echo $start2 ?></p>
<p>With cleanup<br/>
<textarea name="3" cols="30" rows="5"><? echo $start3 ?></textarea></p>
<p><?php echo $start3 ?></p>
<input name="submit" type="submit" value="submit" />
</form>
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 11:11 am
by Eran
It depends on what you are using eval() for - if it's for code generated by user, you have a major security hazard on your hands. If it's for your own code - it really complicates development. It is much easier to work with files instead of a database. How do you edit your code? you can't use an IDE of text editor directly on it, do you edit it through a database GUI?
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 11:22 am
by AbraCadaver
rhecker wrote:Not using stripslashes coming out leaves the slashes in, so that's not a solution.
No, not unless you are adding them with something other than mysql_real_escape_string. magic_quotes maybe?
If you insert mysql_real_escape_string("What's up?") into your db, then select it from your db and echo it, you'll get
What's up? not
What\'s up? unless magic_quotes_runtime is enabled (doubtful).
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 11:53 am
by rhecker
Regarding stripslashes, you can run the code I provided above, take out stripslashes and see what happens.
Here is the reason I am interested in using eval():
I want to have websites that have a single "page," so that the page_id and other variables determine what is sent to that one index.php page. Then the CMS is used to determine what content will fill the page. Rather than having includes that are relevant to just a single page instance, it seemed easier to manage to just put the code right in the content stored in the database. Of course in instances where the code would be used in more than one place, an include or a function would make better sense.
Users would never enter PHP although administrators would be able to enter HTML through a secure section.
Re: Storing HTML and PHP in MySQL
Posted: Tue Oct 26, 2010 12:16 pm
by AbraCadaver
Your code is not accurate because your server is escaping the posted data, ala my statement about magic_quotes. You need to remove the slashes from the post array. I hadn't really looked at your code to see that it has nothing to do with mysql yet, but here is a working example:
Code: Select all
$start2 = $start3 = '';
if ($_POST['start']){
if(get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes', $_POST);
}
$_POST = array_map('mysql_real_escape_string', $_POST);
$start2 = $_POST['start'];
// don't do this:
$start3 = stripslashes($start2);
}
The slashes that you see in $start2 will not be inserted into the db. It is only used to escape the quote to allow it to be inserted.
Also, there is no reason to use htmlentities() to store in the db. Use htmlentities() to display data if you want to insure that malicious HTML/CSS/JS etc. isn't rendered.