tags:

views:

2221

answers:

8

I'm trying to write a page that calls PHP that's stored in a MySQL database. The page that is stored in the MySQL database contains PHP (and HTML) code which I want to run on page load.

How could I go about doing this?

+2  A: 

You can look at the eval function in PHP. It allows you to run arbitrary PHP code. It can be a huge security risk, though, and is best avoided.

Vegard Larsen
+18  A: 

You can use the eval command for this. I would recommend against this though, because there's a lot of pitfalls using this approach. Debugging is hard(er), it implies some security risks (bad content in the DB gets executed, uh oh).

See (blogpost by a random person) Eval is Evil for instance. Google for Eval is Evil, and you'll find a lot of examples why you should find another solution.


Addition: Another good article with some references to exploits is this blogpost. Refers to past vBulletin and phpMyAdmin exploits which were caused by improper Eval usage.

Erik van Brakel
+2  A: 

eval() function was covered in other responses here. I agree you should limit use of eval unless it is absolutely needed. Instead of having PHP code in db you could have just a class name that has method called, say, execute(). Whenever you need to run your custom PHP code just instantiate the class of name you just fetched from db and run ->execute() on it. It is much cleaner solution and gives you great field of flexibility and improves site security significantly.

Michał Rudnicki
+9  A: 

Maybe you should ask yourself why you need code to be stored in your DB in the first place.

I would take this to be a sign that I needed to rethink that bit of my architecture.

There's some very large security pitfalls associated with your approach. Given that you can't verify that the php-code you're about to execute is genuine, sql-injection suddenly becomes a huge concern.

erlando
+3  A: 

@erlando,

Every time I've seen a question like this, the asker is almost always stuck with some punishing release process wherein data changes are relatively easy to get through the system, but code changes are almost impossible. So they solve the problem by turning the code into data.

Brad Wilson
+1  A: 

Have you considered using your Source Control system to store different forks for the various installations (and the modules that differ among them)? That would be one of several best practices for application configuration I can think of. Yours is not an unusual requirement, so it's a problem that's been solved by others in the past; and storing code in a database is one I think you'd have a hard time finding reference to, or being advised as a best practice.

Good thing you posted the clarification. You've probably unintentionally posed an answer in search of a suitable question.

le dorfier
A: 

Easy:

$x // your variable with the data from the DB
<?php echo eval("?>".$x."<?") ?>

Let me know, works great for me in MANY applications, can't help but notice that everyone is quick to say how bad it is, but slow to actually help out with a straight answer...

kneeskrap3r - Phil Gapp
I fixed your markdown - if you don't indent code four spaces, `<?php ?>` gets treated as an HTML tag and becomes hidden
dbr
A: 

I dont understand the "9" part. Could you explain how that works?

Poweraktar
I assume this is a reply to kneeskrap3r - Phil Gapp's answer? If so, I've fixed it up its markdown, so it should be easy to understand now..
dbr