ansaurus

Question

How to inject php code from database into php script ?

Answer 1

A:

you could save it to a temporary file like temp.file and then do an include('temp.file');

Rixius 2010-06-14 14:04:55

This can work too, thank you.In my case oezi solution is more adapted

luxquarta 2010-06-14 14:30:51

welcome, I'm not going to argue against `eval` in a secure enviroment, but I will look for and suggest non-eval options.

Rixius 2010-06-14 18:08:03

Answer 2

+3 A:

take a look at eval() - this is what you are looking for (but i agree with phill, this sounds like bad practice)

EDIT: just seen that you know eval - so why don't you do this:

eval('$string = "'.load_data_from_db().'";');

(haven't tested this, but i'm almost sure it works)

oezi 2010-06-14 14:07:57

Because hum... I was making a typo and couldn't get it working :pThank you very much :)

luxquarta 2010-06-14 14:29:52

Answer 3

A:

A database is used to store data NOT code. You should make your code dynamic to read data from the database/user input but storing code in a database is not recommended.

Why not store the value "lux" in a database table.

Try it this way:

class A {
    private $name;

    public function getName() {
        return $this->name;
    }

    public function setName($name) {
        $this->name = $name;
    }
}
// Query DB
// Don't know your query so just using what you have
$passed_name = load_data_from_db(); // This would return "lux"

// instantiates a new A
$a = new A();
$a->setName($passed_name);
echo "hello ".$a->getName().", how are you ?<br />\n";

Phill Pafford 2010-06-14 14:13:25

Thank you. In fact in my case php code IS data so I've got to store it inside my database. It needs to be dynamic so I can inject inside this "code template" any data from my php execution environment.

luxquarta 2010-06-14 14:33:12

hmm if the data is CODE, then why do you need to execute it?

Phill Pafford 2010-06-14 14:50:22

Phill, I just have answered you on the main comments

luxquarta 2010-06-14 17:46:42

Answer 4

+3 A:

Seems like you are trying to do something like multilanguage strings.

There is a one nifty approach using sprintf

Inside DB you put

"hello %s, how are you ?"

and in your php code you do

$string = load_data_from_db();
echo sprintf($string,$a->getName()); // replaces %s with the function value.

the changing part ($a->getName()) should come from database too but with separate query (maybe in class A)

Imre L 2010-06-14 14:19:44

Thanks for your solution.It works in the example I gave but in my real case it doesn't because I've got unknown placeholders in an unknown order. I should have been more precise. The solution shoud be completely dynamic and inject anything from my current execution environment

luxquarta 2010-06-14 14:34:56

ansaurus

tags:

views:

answers:

How to inject php code from database into php script ?

related questions