CODEWITHSUNDEEP
phpmysqlmysqlieval
Athax
Athax

Reputation: 182

Using eval(); to execute php direct from the database

I am atm making a website where I'm storing all of my HTML based pages in a mysqli database, and I came to this problem where I couldn't execute my PHP code by using echo. So I found this solution where I had to use eval(); in order for my PHP code to run, I heard it could be really dangerous if you do not validate it correctly.

$firstname =  htmlspecialchars($mysqli->real_escape_string($row['firstname']));

So far this is how I have been validating it, would this be secure enough?

Note: that line of code is used when I request the information from the database, to be display on the page.

I'm sorry if I haven't explained myself well enough, I'm still new to this. :)

This is how i get my pages from the database.

<?php 
if (isset($_GET["page"]) && $_GET["page"] != null) {
    $query = "SELECT * FROM pages WHERE pagename = '$_GET[page]'"; 
    $result = $mysqli->query($query); 

    while ($row = $result->fetch_array(MYSQLI_ASSOC)){ 
        $pagetitle = $row["pagetitle"]; 
        $pagename = $row["pagename"]; 
        $pagecontent = $row["pagecontent"];
    }
} else {
    $query = "SELECT * FROM pages WHERE pagename = 'index.php'"; 
    $result = $mysqli->query($query); 

    while ($row = $result->fetch_array(MYSQLI_ASSOC)){ 
        $pagetitle = $row["pagetitle"]; 
        $pagename = $row["pagename"]; 
        $pagecontent = $row["pagecontent"];
    }
}
?>

Upvotes: 0

Views: 655

Answers (2)

echochamber
echochamber

Reputation: 1815

I'd just like to say that you're doing two things here that are generally considered bad practices.

  1. Storing code that will be executed in a database. (Always store code in text files, that way they're version controlled and also less vulnerable to sql attacks).
  2. Using eval().

Both are these are bad ideas and will almost certainly bite you in the ass at some point.

What is it that you're trying to do?

Upvotes: 1

Frank
Frank

Reputation: 51

real_escape_string simply removes any characters that might be used for SQL injection. If you execute user input as PHP code you give your users the same possibilities you have in your php scripts. Including running system commands to remove all files from your server for example.

You don't want to be doing this. That particular case you are mentioning, can you elaborate on that? There is probably a better solution to your problem.

Upvotes: 2

Related Questions