Executing code stored in database

pablogosse

Hi all. I'm currently developing a Content Management System which will use templates to deliver the website.

For the most part, the code stored in the database will be straight html, but there will be certain instances where I will need to store some php code in the content.

If I have a chunk of html code which has an include_once() statement in it somewhere, how do I go about getting this code to be executed instead of merely being spit back to the browser?

Right now, with simply embedding the code as follows:

<html>
<body>
This is html.<br>
<?php include_once("file.inc.html"); ?>
<br>
More html
</body>
</html>

When I select the code from the database and output it I get the html output and if I view the source, the php code is actually printed as well, but the file is not being included.

I've tried using eval() but it isn't working. I get parse errors in the eval()'d code.

Any ideas?

Thanks in advance,
Pablo

Lars_Berg

I don't see any benefits whatsoever with storing php code in the database compared to using ordinary files.

pablogosse

Well, it's not just php code that's going to be stored in the database, but basically the entire website.

The reasoning behind this is as follows:

I work in an institution where security of information is very important. The server I work with is a Solaris box running the Oracle IAS, and as such there is a lot more potential for really nasty things to happen were someone to exploit any potential security holes.

To allow PHP to write files directly to the webserver PHP runs as the user 'oracle', and with the IAS this user has access to MANY areas outside of the website and PHP.

The new site I'm building is going to be driven by a CMS, and due to the limitations of what I can and cannot do directly on the server, I have elected to run the CMS with a database back-end (PostgreSQL) instead of live files. For this reason I need to be able to store the code in the database and have it execute.

I did get a solution on another forum. It seems that you have to prepend a '?>' to the value you're trying to eval().

For example, if you have a variable, $foo, which you want to eval(), then you'd use the following:

eval ('?>' . $foo);

THoughts?

ducey

You're nearly there.

You need to use:

eval("?>","YourPHPandHTMLPage,"<?php");

Hope this helps 🙂

bubblenut

Originally posted by ducey
eval("?>","YourPHPandHTMLPage,"<?php");
[/B]

eval only takes on parameter.

ducey

Ah, thanks Bubblenut! This is the correct code snippet:

eval("?>" . $yourPHPandHTMLcode . "<?php");