tags:

views:

39

answers:

3
+1  Q: 

Saving value as a variable name in database

Database Table company_info

-----------------------------
| companyname | companytype |
-----------------------------
| Company One | Blah        |
-----------------------------
| Company Two | Blah2       |
-----------------------------

Database Table invoice_template

-----------------------------
| Header      | bgcolor     |
-----------------------------
| $company    | Red         |
-----------------------------
| $company    | Biege       |
-----------------------------

PHP file common_include.php

$company = ... //FROM db table company_info field companyname

PHP file invoice.php

include('common_include.php');
$header = ... //FROM db table invoice_template field header
echo "Header is ". $header;
echo "<br/>Company is ". $company; //$company is defined in common_include.php

OUTPUT of invoice.php when company logged in is for eg.Company One

Header is $company
Company is Company One

Question: How do I get the $company in the output to be shown as Company one? i.e How do I get the output from MySQL DB to be treated as a variable?

+2  A: 

The solution would be eval("echo $header"), although you should NEVER EVER want to resort to such solutions. You should -in my opinion- move all company related data into the database.

Update You shouldn't put $company in your database. Relational databases should be relational. That means, primary keys and foreign keys. Data should then be looked up by it's relation. See also how an ORM would work in this situation:

echo $invoice_template->getCompany()->getName();
bouke  2010-09-21 09:22:40
Thanks for the answer. I didn't understand why I shouldn't do this? The company data is in the db. the file only populates it into variables , so that the app can access it with an include. Is that risky? Please explain.
abel  2010-09-21 09:25:02
and echo eval($header) may work but, doesn't work in my setup. because that variable and others are in a variable, used to display the invoice as pdf. eg. The real string is like $pdfcontent = <<<EOF html...<h1>$header</h1>...more html EOF; . and I am using TCPDF. The output I now get is eval($comapny)
abel  2010-09-21 09:29:56
As I still discourage you to go this path, it would be something like `$company = 'My Company'; $which = '$company'; eval("\$which = $which;"); echo $which;`
bouke  2010-09-21 09:37:55
I am thinking about redesigning my db/code, instead of doing it. Thanks
abel  2010-09-21 10:55:51
+1  A: 

You don't want to do this. You're just opening up too many potential vulnerabilities mixing code and data like that - just imagine what happens when an attacker gains access to your database (either directly or through SQL injection) and puts all sorts of crazy PHP code into that column? Using just a single vulnerability like this, an attacker might be able to take over the entire server. What you want is probably a combination of a proper database structure, using joins to query for related information in one go, and maybe a simple text search-and-replace (using str_replace or maybe even preg_replace) to fill text templates with actual data.

tdammers  2010-09-21 09:28:15
Thanks. I could replace $company with a pseudo variable like #company and then preg_replace #company with the current company name.
abel  2010-09-21 09:35:09
You can use `$company` as well, just don't feed it to `eval()` or similarly evil constructs. Also, `str_replace()` does the job faster than `preg_replace()`, as long as you don't need anything fancy.
tdammers  2010-09-22 10:55:05
+1  A: 

If $header is set to the literal string value $company and the variable $company is set to the string Company One then this should work:

echo "Header is ". $$header; // outputs 'Header is Company One'

However, as others have said, this is not a good idea, particularly for security.

DisgruntledGoat  2010-09-21 09:37:47
As I agree this idea is also an ugly idea, it wouldn't like this. $header should then be set to the literal string value `company`. Otherwise php throws a notice: 'Undefined variable $company'. This should work: `$header = substr($header,1); $header=$$header; echo $header;`. Still, this is as ugly as `eval()`.
bouke  2010-09-21 09:46:41

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL