Getting PHP code from MySQL and running it.

[alecgorge]

I am getting php content from a MySQL database and for some reason when I try to echo it after I get it from the database, the PHP isn't processed.

How do I make it so that the PHP is processed?

Here is the relevant code:

require_once(BASE_URL.'includes/admin/core.admin.class.php');
$admin = new admin($_GET['page']);
echo $admin->page_info['content']['page_content'];

relevant excerpt from 'includes/admin/core.admin.class.php'

__construct($page_id) {
$sql = "SELECT * FROM ".DBTABLEPREFIX."admin_content WHERE id ='$page_id'";
     $content = mysql_query($sql) or die(mysql_error());
     while($row = mysql_fetch_array($content)) {
	$admin->page_info['content']['page_content'] = stripslashes($row['content']);
     }
}

thanks so much.

 

[Peter]

executing php retrieved from a database is a very bad idea and poses many security problems.

However if you are sure you want to do it you need to run it through eval();

 

[alecgorge]

Okay, that works well for something that is completely PHP, but my string is something like:

<strong>asdfsaf</strong>
<?php echo 'hi' ?>

That is a great oversimplification but you get my point.

Yes, I know it is very bad but there is zero user input going anywhere near that table (is there another reason I am not aware of?).

 

[Peter]

Yes, I know it is very bad but there is zero user input going anywhere near that table (is there another reason I am not aware of?).

If you are on shared hosting someone could easily access your database. All they would need to do is iterate through your folders and check the content of the folders until it finds database connection details. Once they have these connection details they can do what they please in your DB.

This is why anything retrieved from a database should be validated just as if it were from a third party.

 

[alecgorge]

Okay thanks for the tip but is there a solution to my problem.

 

[nasaboy007]

if you have html and php mixed in, you'd have to do some regexp matching with <?php and ?>, and then use the eval() function on that. you can just directly echo the non-php parts.

i kinda suck at regexps so i can't give you the actual expression, but i know that it would involve preg_match_all and a few foreach loops lol.

 

[alecgorge]

hmmm, maybe I'll try to think of another solution because that seems like too much effort for my purpose.

 

[qbert220]

If you are on shared hosting someone could easily access your database. All they would need to do is iterate through your folders and check the content of the folders until it finds database connection details.

That depends on whether your web host has a clue what they are doing. Many do and provide secure shared hosting.

Anyway - security aside - to answer the OP.

You could get the PHP from the database, write it to a temporary file, then include the file in your PHP script, then delete the temporary file. Depending on how your web host has setup PHP, this may or may not work.

See:

http://uk3.php.net/tempnam
http://uk3.php.net/file_put_contents
http://uk3.php.net/unlink

 

[Peter]

That depends on whether your web host has a clue what they are doing. Many do and provide secure shared hosting.

Ahh you are talking about open basedir restrictions and other PHP configurations like that. Could always write the code in perl to get these same information that is not restricted by the php configuration.

 

[qbert220]

Ahh you are talking about open basedir restrictions and other PHP configurations like that.

No - that won't secure a server. You need to restrict file permissions so that only the account owner can access their own files. This is all off topic so, I if you want to discuss further I suggest start a new thread and/or PM me rather than pollute this thread. My apologies to the OP.

 

[alecgorge]

hmm, I think I will come up with another method, thanks for the heads up.