tags:

views:

166

answers:

6
+2  Q: 

PHP syntax displaying in HTML source

Hi all, In my CMS I've added this code <div><?php include("my_contact_form.php") ?></div> which updates to a db. I can see it there OK.

I have this php code in my display page after the db call:

$content = $row['content'];

when I echo $content inside the body this is displayed in the HTML source:

<div><?php include("my_contact_form.php") ?></div>

How could this possibly be? Why wouldn't it show my contact form? If anyone has any suggestions I would be extremely grateful. Cheers.

+2  A: 

You're echoing $content, that just prints out the value, but it doesn't execute any PHP within it.

MiffTheFox  2009-09-07 06:42:01
Thanks Miff.How should I call this to display $content then?Thanks
John  2009-09-07 07:00:14
+11  A: 

It sounds like you are storing the PHP code in the database and expecting it to be executed when you echo it. This won't happen, as far as the PHP interpreter is concerned it's just text (not PHP code) so it will just echo it.

You can force PHP to interpret (/run) the code in your string with the eval() function, but that comes with a large number of security warnings.

Storing code in the database is rarely the right solution.

Brenton Alker  2009-09-07 06:45:36
+1 for pointing out that eval() on user-generated-content is the most probably the single utterly most stupid thing you can do
iAn  2009-09-07 07:08:11
Ultimately, you're going to have to hack the code of the CMS itself a little. Or there may possibly be an option in your CMS' config somewhere, to execute PHP code in the field you're storing it in?
 2009-09-07 08:03:42
@iAn - it appears that he's doing this as the user of a CMS. Hence, the eval() is not being executed on text entered by any random user, rather, the side editor or admin. Still security issues, but nowhere near as bad as doing this for data from a public web form, etc.
 2009-09-07 08:28:26
Yes I'm the super-admin and will be overseeing a couple of other "office staff" = no code monkeys! Also I've built this simple CMS using tinymce/mysql. But one of the pages is to be contact page, hence the need to include code to deal with the form and validation.
John  2009-09-07 22:58:44
A: 

Use <?php include("my_contact_form.php"); ?> without the <div>...</div> tag.

Please Notice that I include an semi-colon(;) after the closing parentheses.

Tareq  2009-09-07 06:50:10
+3  A: 

The simple solution is to run eval() on your content. 

$content = $row['content'];

eval("?>".$content."<?php");

The closing PHP tag and opening PHP tag allow you to embed HTML and PHP into the eval() statement.

About the choice of storing your PHP and the DB vs Files.

Assuming you're goal is to have PHP that can be edited by admins from an interface, and executed by your server.

You have two choices:

Write the PHP to files, and include or exec() the files. Write the PHP to the DB, and exec() or cache the content to files and include().

If you're on a dedicated or VPS server, then writing to files is the best choice. However, if you're on a shared hosting system, then writing to DB is actually the safer choice. However, this comes with the task that you must use a very safe system for querying the database, to eliminated all SQL injection possibility.

The reason the DB is safer in a shared environment is due to the fact that you'll need write access for the PHP process to the PHP files. Unfortunately, on "every" shared hosting setup, the same PHP user runs on each account and thus has write access to the same PHP files. So a malicious user just has to sign up for hosting and land on the same physical machine as you, or exploit a different account to gain access to yours.

With saving the PHP in mysql, PHP cannot write to the mysql files since it doesn't have the privileges. So you end up with more secure code, if you eliminate the possibility of SQL injection. Note that if you have an SQL injection vulnerability with write ability, then you have also opened a remote code execution vulnerability.

Edit:

Sorry the correct syntax is:

eval("\r\n?>\r\n ".$php."\r\n<?php\r\n");

Thats been tested quite intensively to work on every PHP configuration/setup.

bucabay  2009-09-07 07:45:44
Thanks for this - simple solutions are the best for me! Thanks for the extra info too. Sadly eval() as you suggest it didn't work for me here.So, plan C, I've decided to create a selectable tinymce template that has an iframe which calls the contact_form page and all the processing happens in the iframe. This works. Thanks everyone!
John  2009-09-08 00:39:46
@John, see the updated syntax. That should work for any PHP code.
bucabay  2009-09-08 02:09:28
Thanks - that's it!!! Brilliant, cheers.
John  2009-09-10 06:08:33
+1  A: 

If you're using an existing CMS, like Joomla, Drupal, etc.
The CMS is handling the text from the DB as what it is - text. It won't execute the text, it's probably just pulling it as a string from the DB and echoing it onto the page. See Brenton Alker's answer for a better explaination.

If possible, it would be better to work within the functionality of the CMS, and avoid hacking your CMS's source to use eval(). Depending which CMS you're using, there may be a feature (ie: a button in your editor, or similar) to include code from another file.

Or perhaps there's a feature to create "objects", "modules", whatever-they-wanted-to-call-them, which would allow you to place the code (as HTML) that you're trying to include into an "object", stored in the DB, allowing you to include it in numerous pages. This would attain the same goals as doing an include() in PHP (code reuse, avoiding duplicates, making changes in one place, etc.) but it would also save you having to hack the CMS or start risking security.

If you've built your own CMS
You may want to build such a feature in. It all depends on your needs, and how important security is.

Ultimately if you use eval(), and if anyone hacks either:

  • Your DB
  • Your CMS's admin interface

then they will be able to execute any PHP code on your server. And if you have exec() enabled in your php.ini (which is not safe), then they will also be able to run any code they want on your server itself... eeek!

 2009-09-07 08:23:43
A: 

Thanks for this - simple solutions are the best for me! Thanks for the extra info too. Sadly eval() as you suggest it didn't work for me here. So, plan C, I've decided to create a selectable tinymce template that has an iframe which calls the contact_form page and all the processing happens in the iframe. This works. Thanks everyone!

John  2009-09-08 00:40:41

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?