if youre trying to read the file, instead of execute it, use file_get_contents()

Yes, this does pull in the content, but the content can't contain any PHP, as it's just pulled in, not executed. For pulling in HTML snippets, this works great.

I suspect that what I want to do can't be done: how can a running PHP script insert more PHP and run that before continuing?.. :bemused:

I dont quite get what youre trying to do?
are you trying to input it into a textarea, and then save it, and have it run later?
Please try explaining again

include("file2.php");

Ok, here's the scenario:

A textarea in a CMS is used to put text onto a web page. So far so good, fairly standard stuff. Somewhere amongst that text is a call to an external snippet of php. Example text in the textarea:

[FONT=Courier New]Please complete the form below to register

[script]form.php[/script]

Don't forget to complete all fields[/FONT].

The CMS will parse this and output the result to the web page. When it hits [script]form.php[/script] it will pull in that external PHP file, which will contain some PHP and some HTML.

Then this whole block of text will be output. The problem is, this whole block of text will contain various other tags that PHP is happily turning into HTML (ie an will be turned into a standard <img> tag). The processing of all of this text is not finished when a [script] tag is found: in the example above, there's additional text after the [script] tag.

How to tell PHP to effectively process that external snippet and place the result of the processing into the text at the point of the [script] tag, as HTML. Calling include() or require() will cause that snippet to be processed and output at the point it's called, not along with the rest of the text.

So you have a web based editor for adding text (which is a mixture of text and html and php) to your web page - and you want to be able to put [script]file.php[/script] into that web based editor. Then when the CMS delivers the page to the user, it displays all the text and html and a processed version of the PHP that's in file.php.

Is that right?

etully wrote:

So you have a web based editor for adding text (which is a mixture of text and html and php) to your web page - and you want to be able to put [script]file.php[/script] into that web based editor. Then when the CMS delivers the page to the user, it displays all the text and html and a processed version of the PHP that's in file.php.

Is that right?

That sounds about it!

So when the CMS parses the text and it sees this: [script]file.php[/script] it's obtaining the text in that file (which is PHP code) and instead of letting PHP parse that file, it's displaying the PHP code?

If that's what it's doing, then it sounds like you need to modify the CMS so that instead of echo'ing the contents of that file, it does an include of that file or an eval() of that text. Similarly, you could add a new tag to the CMS. You might call it something like [eval] or [exec] or [run] or whatever.

That should work fine - except for that little problem of this being a huge security hole. There's no security hole if you are the only person who can put text into that web based text editor. But if users can see or use that text editor, then do not modify the CMS as described.

I think the reason you were seeing this as "impossible" was that it's not a function of the CMS in the first place - which they probably left out for security purposes.

If you do decide to alter the CMS, make sure that the PHP in your [script]file.php[/script] file doesn't alter any variables that the CMS uses - or alter the environment in a way that the CMS doesn't expect.

Firstly, it's my own CMS, so I can do whatever I like with it! Secondly, there wouldn't be a security issue initially because clients don't have the ability to create their own scripts: it's for me to make reusable items for different pages.

Thirdly, using an include makes the PHP get processed right there, not with the flow of the text.

However, eval might work, so I'll look into that and report back!