CODEWITHSUNDEEP
phphtmlmysqlsql
Andy Bitz
Andy Bitz

Reputation: 53

Use PHP code that is saved in a database

I have this code:

<!DOCTYPE html>
<html>
    <?php require_once('./module/mod_head.php'); ?>
<body>
    <?php require_once('./core/imp/navbar.inc.php'); ?>

    <div class="container" style="margin-bottom: 50px;">
        <?php include('./module/mod_preview.php'); ?>
    </div>

    <div class="container-fluid">
        <?php include_once('./module/mod_block_whoami.php') ?>

        <div class="collapse" id="summaryId">
            <?php include_once('./module/mod_block_summary.php'); ?>
        </div>
    </div>

    <?php require_once('./core/imp/footer.inc.php'); ?>
</body>
</html>

Now this code is saved in a database.

The problem is I want that code to be used as it would be the only code in my index.php file.

But as I said before it is saved in a database and to get that code I need to use php and then the code will be saved in an php variable and echoing that would be like:

<?php echo "<html><?php echo "<morehtml>blablabla</morehtml>"; ?></html>"; ?>

I thought of creating a temporary file that gets overwritten whith the code and then included by the index.php file or whatever file needs to get code from the database.

However I don't know if that is a good idea or if there are any better ways to get php code from an MySQL database and using it.

Upvotes: 0

Views: 62

Answers (2)

Александр Петров
Александр Петров

Reputation: 26

If you want to use php code from database, try eval (Evaluate a string as PHP code). 

$sting // your variable with the data from the DB
<?=eval('?>' . $sting . '<?') ?>

But this is dangerous, from documentation:

"The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand."

Upvotes: 1

O. Jones
O. Jones

Reputation: 108686

PHP offers the eval($string) function. It runs the code in the string you pass it. So, it would be a simple matter to read code from a MySQL database and run it.

But, is this a good idea? Many people don't think so, because it makes it easy for a badguy to pwn your application.

Upvotes: 1

Related Questions