Parse Php inside MySql

sissy

Hello folks,

How is everyone 🙂

Question -
Its got me beat how to allow and parse php code that i put into the database im doing the usual DB call then echoing the info which is straight foward as long as theres no php.

<?php
$query = $db->query("SELECT * FROM table WHERE content='$content'");
$row = $db->fetch_array($query);
?>
<body>
  <?php echo $row['content']; ?>
</body>

Just wondering how i got about this i looked at the eval() statement but couldnt get it to work, some help would be gladly appreciated.

Thanks.

bogu

I don't know what kind of classes are you using but in php you could use this:

<?php
$query = mysql_query("SELECT * FROM table WHERE content='$content' LIMIT 0,1");
$row =mysql_fetch_array($query);
?>
<body>
  <?php echo $row['content']; ?>
</body>

sissy

Hi Bogu,

Thanks for the reply, maybe you missunderstood me or i didnt explain myself well enough.

When it pulls the content from the DB eg

<strong>hello</strong>
<br>
<a href="some url">click</a>

thats all fine works as expected but as soon as i add php eg

<strong>hello</strong>
<br>
<a href="some url">click</a>
<br>
<a href="<?php echo $url; ?>">click</a>

the php code isnt parsed as its allready processed everything so it just adds it to the source code, what i would like to do is allow it to parsed but this is the part im stuck with.

Thanks again.

mogster

It's the old eval() woes, isn't it? 😉

Here's some code I use:

## Code db_clean_function ##
function dbCode($text) {
$text = str_replace("$", "\$", $text);
$text = addslashes($text);
return($text);
}

## To insert code ##
$db_code = dbCode($da_code);
$doInsert = mysql_query("insert into codetable values ('', '$chapter_id', '$article_id', '$db_code', 'y', '$username')");
## Your sql may vary from mine ;-) ##

## Pick it out and eval it ##
$query = mysql_query("select code from codetable where chapter_id=$chapter_id");
@ eval (stripslashes(mysql_fetch_array($query)));

I use the db class from phplib, but I think this should work.

Be sure to protect the input/output of such querys! Executing php should be considered carefully 😉

knutm

Norman_Graham

Yes, I've been pondering this one for a while as well. I have now established, thanks to the people on this forum, that there's only one solution and that's eval(). The explanation of eval() at php.net is completely incomprehensible to me. I'll just have to try it myself and see how far I get. When I have some code, which will almost certainly not work first time, I'll post it to the forum and wait for debugging help. If you come up with a working piece of eval() code for your own purposes, please post it to this forum so we can all have a look at it.

Thanx and best o luck

Norman

mogster

Ah - forgot:
This works with backslashed code. That is, echo'd html/php.

Like echo <a href=\"gunga_din.php?zhevalue=$gumbo\"> and so on...

Just mentioning it - haven't tried with pure html/php 😃

knutm

cahva

Heres the lame way to do it, using tempfile. I really never used it, but maybe someone wants to use this piece of crap 🙂
It was made just to see if its possible to execute whole pages from db(which included php-code and plain html).

In this script I used table which consisted of two fields: 'id' and 'sourcecode'. So therefore $row[1] is the sourcecode field.
Tempfile should be outside of the www-directory.

<?php
$query="SELECT * FROM table WHERE id='1'";
$row=mysql_fetch_row(mysql_query($query));

$handle = fopen ("/home/temppage.php", "w");
fwrite($handle,$row[1]);
fclose($handle);

include('/home/temppage.php');
?>

sissy

Thanks folks for the fast responses unfortantly its not working mogster theres no error but it dont display anything either.

Its probably my mistake but ill show u what i have and yeh i HATE eval :rolleyes:

<?php

//database settings
$db_username = "freak"; //db username
$db_password = ""; //db password
$database = "test"; //db table

//database connect
$db = mysql_connect("localhost", "$db_username", "$db_password");
mysql_select_db("$database", $db);

$query = mysql_query("SELECT * FROM content WHERE id='$id'");
$row = eval(stripslashes(mysql_fetch_array($query)));

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
 <head>
  <title>
   <?php echo $row['title']; ?>
  </title>
 </head>
 <body>
  <?php echo $row['content']; ?>
 </body>
</html>

anymore feedback where i have gone wrong would be appreciated.

bogu

Ok sissy now I understand you.
The eval function is your problem?

Ok could you give an example of you eval string and the php variables that you want to change into your string.

mogster

Sissy, you did note this function?

## Code db_clean_function ##
function dbCode($text) {
$text = str_replace("$", "\$", $text);
$text = addslashes($text);
return($text);
}

If you're gonna eval the string, you need to add a backslash to the $, else the values disappear. So the code you'll be backslashing (the code in db) need to be run through this function before insert.

knutm

xblue

I think it may be this line where things go wrong:

// mogster
@ eval (stripslashes(mysql_fetch_array($query)));

// sissy
$row = eval(stripslashes(mysql_fetch_array($query)));

wouldn't it make more sense to call these functions on a string, e.g. $row['something'], and not on an array?

mogster

Yeah, you're right.
The eval is in it self an execution, and the code in db would look app. like this (AFTER going through the dbCode!):

\$query = mysql_query(\"SELECT * FROM content WHERE id=\'\$id\'\");
\$row = mysql_fetch_array(\$query);
echo \"
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>\";
echo \$row[\'title\'];
echo \"
</title>
</head>
<body>\";
echo \$row[\'content\'];
echo \"
</body>
</html>\";

Then this db-script is executed within the already existing php-tags in another php-script:

<?PHP
$qy = "SELECT code_above from dbfield where something = '$something'";
$pickCode = mysql_query($qy);
@ eval (stripslashes(mysql_fetch_array($pickCode)));
?>

This is all - do not store the evaled code, just eval it 😉

knutm

mogster

Well, I see that not all the backslashes are printed in the above example 😃

Just use the dbCode function on the code to be inserted, and remember that every html-sentence (echoed) must be backslashed in the code as you write it.

knutm