Executing PHP that is stored in a MySQL record

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

Hi guys,
I'm an amateur PHP developer, and I recently built my first full blown CMS for my website and for use on my clients websites. I'm really proud of it, except two things: 1. I'm certain it has security vulnerabilities 2. Some of my pages (like my blog page) have PHP in their content, and the content is stored in the record, and when I pull my record it doesn't execute that PHP (I'm assuming as a security precaution).

So my dilemma is, I want each page and it's content controlled by my CMS, yet I have read executing PHP, even if it's a simple query to pull a record, is a serious vulnerability. Can anyone help? Thanks!
GreenCore
Forum Newbie
Posts: 5
Joined: Thu Dec 18, 2008 6:53 am

Re: Executing PHP that is stored in a MySQL record

Post by GreenCore »

If you are an amateur PHP developer, and make websites for others (company’s).
Then my advice is that’s better to use default open-source PHP TPL Classes like Smarty

These template engine’s have their own template tags which will be automatically compiled to PHP Code.
You can store these TPL files like text in a database (for example MySQL), store it as yourtemplate.tpl or a combination of both.

Good examples, manual’s and more are available at www.smarty.net.

For direct executing PHP Code you could try www.php.net/eval

Good Luck!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Executing PHP that is stored in a MySQL record

Post by John Cartwright »

While I appreciate you are learning PHP, that is a serious foul. Why are you storing php source in the database? Maybe we can suggest a better approach.
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Re: Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

Well I have modules like a form - for example. Or the content for my blog.

Also, I understand being able to execute PHP scripts from MySQL is a serious vulnerability, but if the page that inserts the data into MySQL is password protected (checks against database for user) than I don't understand why that is dangerous I guess?

Thanks you guys!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Executing PHP that is stored in a MySQL record

Post by John Cartwright »

It's not neccesarily a security vulnerability having the ability mysql content interpreted by php, however, you are leaving yourself open to attack. What if you want other users to be able to edit database contents? This is simply not smart to do for a thousand and five reasons.

You still havn't explained why you want php content in the database?
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Re: Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

Oh I'm sorry, that's what I was trying to say with my first sentence of my last post. I want to control each pages content (not layout though) from the CMS. Meaning any page content that's unique to that page is controlled from the record. So then if I have a snippet or module I want to display on that page in the middle of my content then the only way I know how to do that is to place my PHP within that record.

Does that make better sense?

Thanks!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Executing PHP that is stored in a MySQL record

Post by kaisellgren »

WithHisStripes wrote:Oh I'm sorry, that's what I was trying to say with my first sentence of my last post. I want to control each pages content (not layout though) from the CMS. Meaning any page content that's unique to that page is controlled from the record. So then if I have a snippet or module I want to display on that page in the middle of my content then the only way I know how to do that is to place my PHP within that record.

Does that make better sense?

Thanks!
Why would you not store non-PHP text in the database and output it into the template? Then if you need dynamic processing you may create some sort of plugins.
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Re: Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

I don't understand your question...

Why would I not store non-PHP? I'm not not, haha. I have my page content. And then I have a couple PHP snippets and modules that I'd like to appear within that content.

Does that make sense?

Thanks again for your help!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Executing PHP that is stored in a MySQL record

Post by kaisellgren »

WithHisStripes wrote:I don't understand your question...

Why would I not store non-PHP? I'm not not, haha. I have my page content. And then I have a couple PHP snippets and modules that I'd like to appear within that content.

Does that make sense?

Thanks again for your help!
Why don't you keep the modules in separate .php files instead of putting the modules into the database?

If you have a textarea where you type PHP code to make it to appear on your site, then it's not a CMS -- it's more like an online PHP notepad that allows you to quickly change your PHP code... in this case you could directly modify the files intead of fetching static PHP code from the database.
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Re: Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

Well, I suppose I should note that on my website, yes, that's basically what it would be. But I replicate what I build on my site on my clients' sites. So lets assume we're working on my clients site:

Yes I would put the PHP in a separate file. But then that file would still need to be included on my page. And lets say it was a contact form and it had to appear right in the middle of their content. So then the only way - that I am aware of - would be to place an include snippet there calling the file. But even that still is disabled by MySQL, right?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Executing PHP that is stored in a MySQL record

Post by kaisellgren »

WithHisStripes wrote:Well, I suppose I should note that on my website, yes, that's basically what it would be. But I replicate what I build on my site on my clients' sites. So lets assume we're working on my clients site:

Yes I would put the PHP in a separate file. But then that file would still need to be included on my page. And lets say it was a contact form and it had to appear right in the middle of their content. So then the only way - that I am aware of - would be to place an include snippet there calling the file. But even that still is disabled by MySQL, right?
Sorry I did not understand what you were asking for.

Yes you would just include/read/output buffer the contact form from a file and display it in the website anywhere you wish. I'm not sure what you meant when you said it's still disabled by MySQL.
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Re: Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

Ah, okay so if I stored this:

Code: Select all

 
<p>This is a test.</p.>
<?php include('example-module.php'); ?>
<p>This is the rest of my text.</p>
 
Than MySQL will process and execute that?
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: Executing PHP that is stored in a MySQL record

Post by Syntac »

MySQL won't do anything, it'll just store the text.

Anyway, this is a massive security vulnerability. Don't do it.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Executing PHP that is stored in a MySQL record

Post by kaisellgren »

Syntac wrote:MySQL won't do anything, it'll just store the text.

Anyway, this is a massive security vulnerability. Don't do it.
Yep, and in addition to that, you should learn some more PHP before proceeding with your project -- just a suggestion. You make the move.
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Re: Executing PHP that is stored in a MySQL record

Post by WithHisStripes »

Hey kaisellgren, thanks for the feedback. I guess I just don't understand what makes executing PHP from a record a security risk if the only way to insert a record is password protected either using CPanel or a adminstrator login module.

And as for learning more PHP, can you be more specific? I don't take offense to that - I have zero formal education and I've learned everything I know from helpful folks like you and tutorials. So I'd love to hear where you think I need to have a better understanding?

Thanks!
Post Reply