I want to safely store PHP and HTML in MySQL, then use eval() to the run the code when it's called from the database.
To accomplish this, I used mysql_real_escape_string and htmlspecialchars on data going into the database, then htmlspecialchars_decode and stripslashes on the data coming out, before using eval()
The problem I have encountered is that carriage returns and new lines get converted to \r and \n going in, but coming out, the slashes are stripped, leaving the r's and n's as text.
I must be approaching this the wrong way. Can someone point me in the right direction?
Storing HTML and PHP in MySQL
Moderator: General Moderators
Re: Storing HTML and PHP in MySQL
Probably - there is almost never a good reason to store PHP code in a database and run it with eval().I must be approaching this the wrong way
If you could explain your requirements, maybe someone could offer a better solution. Why aren't you using include() / require() to include scripts?
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Storing HTML and PHP in MySQL
Don't use stripslashes() coming out.rhecker wrote:I want to safely store PHP and HTML in MySQL, then use eval() to the run the code when it's called from the database.
To accomplish this, I used mysql_real_escape_string and htmlspecialchars on data going into the database, then htmlspecialchars_decode and stripslashes on the data coming out, before using eval()
The problem I have encountered is that carriage returns and new lines get converted to \r and \n going in, but coming out, the slashes are stripped, leaving the r's and n's as text.
I must be approaching this the wrong way. Can someone point me in the right direction?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: Storing HTML and PHP in MySQL
Not using stripslashes coming out leaves the slashes in, so that's not a solution.
I wonder what the argument is against using eval(). I realize the code could be put in includes.
Here's the code for my little test app.
I wonder what the argument is against using eval(). I realize the code could be put in includes.
Here's the code for my little test app.
Code: Select all
if ($_POST['start']){
foreach ($_POST as $k=>$v){
$v = htmlspecialchars($v);
$v = mysql_real_escape_string($v);
$_POST[$k] = $v;
}
extract ($_POST);
$start2= $start;
$start3 = htmlspecialchars_decode($start);
$start3=stripslashes($start3);
}?>
<form action="#" method="post">
<p>Start<br/>
<textarea name="start" cols="30" rows="5"></textarea></p>
<p>No cleanup<br/>
<textarea name="2" cols="30" rows="5"><? echo $start2 ?></textarea></p>
<p><?php echo $start2 ?></p>
<p>With cleanup<br/>
<textarea name="3" cols="30" rows="5"><? echo $start3 ?></textarea></p>
<p><?php echo $start3 ?></p>
<input name="submit" type="submit" value="submit" />
</form>
Last edited by rhecker on Tue Oct 26, 2010 11:12 am, edited 1 time in total.
Re: Storing HTML and PHP in MySQL
It depends on what you are using eval() for - if it's for code generated by user, you have a major security hazard on your hands. If it's for your own code - it really complicates development. It is much easier to work with files instead of a database. How do you edit your code? you can't use an IDE of text editor directly on it, do you edit it through a database GUI?
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Storing HTML and PHP in MySQL
No, not unless you are adding them with something other than mysql_real_escape_string. magic_quotes maybe?rhecker wrote:Not using stripslashes coming out leaves the slashes in, so that's not a solution.
If you insert mysql_real_escape_string("What's up?") into your db, then select it from your db and echo it, you'll get What's up? not What\'s up? unless magic_quotes_runtime is enabled (doubtful).
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: Storing HTML and PHP in MySQL
Regarding stripslashes, you can run the code I provided above, take out stripslashes and see what happens.
Here is the reason I am interested in using eval():
I want to have websites that have a single "page," so that the page_id and other variables determine what is sent to that one index.php page. Then the CMS is used to determine what content will fill the page. Rather than having includes that are relevant to just a single page instance, it seemed easier to manage to just put the code right in the content stored in the database. Of course in instances where the code would be used in more than one place, an include or a function would make better sense.
Users would never enter PHP although administrators would be able to enter HTML through a secure section.
Here is the reason I am interested in using eval():
I want to have websites that have a single "page," so that the page_id and other variables determine what is sent to that one index.php page. Then the CMS is used to determine what content will fill the page. Rather than having includes that are relevant to just a single page instance, it seemed easier to manage to just put the code right in the content stored in the database. Of course in instances where the code would be used in more than one place, an include or a function would make better sense.
Users would never enter PHP although administrators would be able to enter HTML through a secure section.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Storing HTML and PHP in MySQL
Your code is not accurate because your server is escaping the posted data, ala my statement about magic_quotes. You need to remove the slashes from the post array. I hadn't really looked at your code to see that it has nothing to do with mysql yet, but here is a working example:
The slashes that you see in $start2 will not be inserted into the db. It is only used to escape the quote to allow it to be inserted.
Also, there is no reason to use htmlentities() to store in the db. Use htmlentities() to display data if you want to insure that malicious HTML/CSS/JS etc. isn't rendered.
Code: Select all
$start2 = $start3 = '';
if ($_POST['start']){
if(get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes', $_POST);
}
$_POST = array_map('mysql_real_escape_string', $_POST);
$start2 = $_POST['start'];
// don't do this:
$start3 = stripslashes($start2);
}Also, there is no reason to use htmlentities() to store in the db. Use htmlentities() to display data if you want to insure that malicious HTML/CSS/JS etc. isn't rendered.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.