How do I execute PHP that is stored in a MySQL database?

Question

I'm trying to write a page that calls PHP that's stored in a MySQL database. The page that is stored in the MySQL database contains PHP (and HTML) code which I want to run on page load.

How could I go about doing this?

Answer 1

How I did this is to have a field in the database that identified something unique about the block of code needing to be executed. That one word is in the file name of that code. I put the strings together to point to the php file to be included. example:

$lookFor = $row['page'];

include("resources/" . $lookFor . "Codebase.php");

In this way even if a hacker could access you DB he couldn't put malicious code straight in there to be executed. He could perhaps change the reference word, but unless he could actually put a file directly onto the server it would do him no good. If he could put files directly onto the server, you're sunk then anyway if he really wants to be nasty. Just my two cents worth.

And yes, there are reasons you would want to execute stored code, but there are cons.

Answer 2

You can use the eval command for this. I would recommend against this though, because there's a lot of pitfalls using this approach. Debugging is hard(er), it implies some security risks (bad content in the DB gets executed, uh oh).

See When is eval evil in php? for instance. Google for Eval is Evil, and you'll find a lot of examples why you should find another solution.

Addition: Another good article with some references to exploits is this blogpost. Refers to past vBulletin and phpMyAdmin exploits which were caused by improper Eval usage.

Answer 3

Read php code from database and save to file with unique name and then include file this easy way for run php code and debug it.

$uniqid="tmp/".date("d-m-Y h-i-s").'_'.$Title."_".uniqid().".php";    
$file = fopen($uniqid,"w");
fwrite($file,"<?php \r\n ".$R['Body']);
fclose($file);                          
// eval($R['Body']);
include $uniqid;

Answer 4

Easy:

$x // your variable with the data from the DB
<?php echo eval("?>".$x."<?") ?>

Let me know, works great for me in MANY applications, can't help but notice that everyone is quick to say how bad it is, but slow to actually help out with a straight answer...

Answer 5

Have you considered using your Source Control system to store different forks for the various installations (and the modules that differ among them)? That would be one of several best practices for application configuration I can think of. Yours is not an unusual requirement, so it's a problem that's been solved by others in the past; and storing code in a database is one I think you'd have a hard time finding reference to, or being advised as a best practice.

Good thing you posted the clarification. You've probably unintentionally posed an answer in search of a suitable question.

Answer 6

eval() function was covered in other responses here. I agree you should limit use of eval unless it is absolutely needed. Instead of having PHP code in db you could have just a class name that has method called, say, execute(). Whenever you need to run your custom PHP code just instantiate the class of name you just fetched from db and run ->execute() on it. It is much cleaner solution and gives you great field of flexibility and improves site security significantly.

Answer 7

You can look at the eval function in PHP. It allows you to run arbitrary PHP code. It can be a huge security risk, though, and is best avoided.