Page 1 of 2

Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 11:36 am
by WithHisStripes
Hi guys,
I'm an amateur PHP developer, and I recently built my first full blown CMS for my website and for use on my clients websites. I'm really proud of it, except two things: 1. I'm certain it has security vulnerabilities 2. Some of my pages (like my blog page) have PHP in their content, and the content is stored in the record, and when I pull my record it doesn't execute that PHP (I'm assuming as a security precaution).

So my dilemma is, I want each page and it's content controlled by my CMS, yet I have read executing PHP, even if it's a simple query to pull a record, is a serious vulnerability. Can anyone help? Thanks!

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 3:13 pm
by GreenCore
If you are an amateur PHP developer, and make websites for others (company’s).
Then my advice is that’s better to use default open-source PHP TPL Classes like Smarty

These template engine’s have their own template tags which will be automatically compiled to PHP Code.
You can store these TPL files like text in a database (for example MySQL), store it as yourtemplate.tpl or a combination of both.

Good examples, manual’s and more are available at www.smarty.net.

For direct executing PHP Code you could try www.php.net/eval

Good Luck!

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 5:36 pm
by John Cartwright
While I appreciate you are learning PHP, that is a serious foul. Why are you storing php source in the database? Maybe we can suggest a better approach.

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 5:40 pm
by WithHisStripes
Well I have modules like a form - for example. Or the content for my blog.

Also, I understand being able to execute PHP scripts from MySQL is a serious vulnerability, but if the page that inserts the data into MySQL is password protected (checks against database for user) than I don't understand why that is dangerous I guess?

Thanks you guys!

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 5:45 pm
by John Cartwright
It's not neccesarily a security vulnerability having the ability mysql content interpreted by php, however, you are leaving yourself open to attack. What if you want other users to be able to edit database contents? This is simply not smart to do for a thousand and five reasons.

You still havn't explained why you want php content in the database?

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 5:52 pm
by WithHisStripes
Oh I'm sorry, that's what I was trying to say with my first sentence of my last post. I want to control each pages content (not layout though) from the CMS. Meaning any page content that's unique to that page is controlled from the record. So then if I have a snippet or module I want to display on that page in the middle of my content then the only way I know how to do that is to place my PHP within that record.

Does that make better sense?

Thanks!

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 6:21 pm
by kaisellgren
WithHisStripes wrote:Oh I'm sorry, that's what I was trying to say with my first sentence of my last post. I want to control each pages content (not layout though) from the CMS. Meaning any page content that's unique to that page is controlled from the record. So then if I have a snippet or module I want to display on that page in the middle of my content then the only way I know how to do that is to place my PHP within that record.

Does that make better sense?

Thanks!
Why would you not store non-PHP text in the database and output it into the template? Then if you need dynamic processing you may create some sort of plugins.

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 6:25 pm
by WithHisStripes
I don't understand your question...

Why would I not store non-PHP? I'm not not, haha. I have my page content. And then I have a couple PHP snippets and modules that I'd like to appear within that content.

Does that make sense?

Thanks again for your help!

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 7:07 pm
by kaisellgren
WithHisStripes wrote:I don't understand your question...

Why would I not store non-PHP? I'm not not, haha. I have my page content. And then I have a couple PHP snippets and modules that I'd like to appear within that content.

Does that make sense?

Thanks again for your help!
Why don't you keep the modules in separate .php files instead of putting the modules into the database?

If you have a textarea where you type PHP code to make it to appear on your site, then it's not a CMS -- it's more like an online PHP notepad that allows you to quickly change your PHP code... in this case you could directly modify the files intead of fetching static PHP code from the database.

Re: Executing PHP that is stored in a MySQL record

Posted: Mon Dec 22, 2008 7:16 pm
by WithHisStripes
Well, I suppose I should note that on my website, yes, that's basically what it would be. But I replicate what I build on my site on my clients' sites. So lets assume we're working on my clients site:

Yes I would put the PHP in a separate file. But then that file would still need to be included on my page. And lets say it was a contact form and it had to appear right in the middle of their content. So then the only way - that I am aware of - would be to place an include snippet there calling the file. But even that still is disabled by MySQL, right?

Re: Executing PHP that is stored in a MySQL record

Posted: Wed Dec 24, 2008 7:04 am
by kaisellgren
WithHisStripes wrote:Well, I suppose I should note that on my website, yes, that's basically what it would be. But I replicate what I build on my site on my clients' sites. So lets assume we're working on my clients site:

Yes I would put the PHP in a separate file. But then that file would still need to be included on my page. And lets say it was a contact form and it had to appear right in the middle of their content. So then the only way - that I am aware of - would be to place an include snippet there calling the file. But even that still is disabled by MySQL, right?
Sorry I did not understand what you were asking for.

Yes you would just include/read/output buffer the contact form from a file and display it in the website anywhere you wish. I'm not sure what you meant when you said it's still disabled by MySQL.

Re: Executing PHP that is stored in a MySQL record

Posted: Wed Dec 24, 2008 11:31 am
by WithHisStripes
Ah, okay so if I stored this:

Code: Select all

 
<p>This is a test.</p.>
<?php include('example-module.php'); ?>
<p>This is the rest of my text.</p>
 
Than MySQL will process and execute that?

Re: Executing PHP that is stored in a MySQL record

Posted: Wed Dec 24, 2008 12:02 pm
by Syntac
MySQL won't do anything, it'll just store the text.

Anyway, this is a massive security vulnerability. Don't do it.

Re: Executing PHP that is stored in a MySQL record

Posted: Wed Dec 24, 2008 12:18 pm
by kaisellgren
Syntac wrote:MySQL won't do anything, it'll just store the text.

Anyway, this is a massive security vulnerability. Don't do it.
Yep, and in addition to that, you should learn some more PHP before proceeding with your project -- just a suggestion. You make the move.

Re: Executing PHP that is stored in a MySQL record

Posted: Wed Dec 24, 2008 12:30 pm
by WithHisStripes
Hey kaisellgren, thanks for the feedback. I guess I just don't understand what makes executing PHP from a record a security risk if the only way to insert a record is password protected either using CPanel or a adminstrator login module.

And as for learning more PHP, can you be more specific? I don't take offense to that - I have zero formal education and I've learned everything I know from helpful folks like you and tutorials. So I'd love to hear where you think I need to have a better understanding?

Thanks!