[RESOLVED] Inserting PHP Code into SQL

whobutsb

Hello All,
I'm working on a content management system for my website. On my web pages I have a series of boxes (Think Google Gadgets, on the iGoogle Website) that have information for employees, IE. Company Directory, Form Search, Weather, etc.

Right now I'm just using PHP include statements to bring everything in to the page, and on the boxes themselves I have validation script that runs to see if the viewer has access to certain widgets. I would like to move my box codes in to a SQL database (MSSQL to be precise).

I was wondering if anyone knew what type of SQL column type i should use and if its even possible to return PHP code from a database and have it run on the webpage. I have tried using the TEXT, NTEXT, Varchar, with no luck.

Thanks for the help!
Steve

Roger_Ramjet

You just need any string/text column type to store the php. To get it to run you need to use EVAL on the string once it is extracted from the db.

whobutsb

Thanks Roger,
I'm going to give that a try. Do you have any pointers on Inserting the code into the database? I tried placing ( \ ) in front of the double quotation marks, but it still seems to have trouble with some things.

Here is what i'm trying to turn into a variable:

$code = ("
<?php
$query = mssql_query(\"
SELECT TOP 3    articleID, postDate, title
FROM         dbo.tblArticle
WHERE     (type = 'ANNOUNCEMENT') AND (published = 1) AND (endDate >= { fn NOW() })
ORDER BY postDate DESC\") or die();
?>

<div class=\"box\">
	<div class=\"box_header_red\"><h2>Announcements</h2></div>
	<div align=\"center\" class=\"box_body\">


	<?php
			while($result = mssql_fetch_array($query)){

				foreach($result as $name => $value){
					$$name = $value;
				}
				$newPosts = date(\"m/d/Y\", strtotime(\"2 days ago\"));
				if(date(\"m/d/Y\", strtotime($postDate)) >= $newPosts){
					echo \"<img src='_images/Beacon/new.png' alt='New Post' />\";
				}
				echo \"<a href='Articles/view.php?articleID=$articleID' title='$title'>$title</a><br /><br />\";
			}
	?>	
<?php
	if(isset($username)){	?>
		<div align=\"center\"><a href=\"Articles/new.php?article=announcement\" class=\"add\" title=\"Add New Announcement\">Add New Announcment</a></div>
<?php
	}	?>
	<div class=\"clear\"></div>
</div>
</div><!-- end box -->

<div class=\"clear\"></div>

");

Roger_Ramjet

Yes. those quotes are going to be a problem.

Now, I'd first loose all the <?php tags: it is going to be processed as php anyway. Just use echo for the raw html instead of switching between html and php.

Also, get into the habit of coding your queries like this

$qry1 = "SELECT TOP 3    articleID, postDate, title
FROM         dbo.tblArticle
WHERE  type = 'ANNOUNCEMENT' AND published = 1 AND endDate >= Getdate() ORDER BY postDate DESC";
$result = mssql_query($qry1) or die();

It makes it much easier to debug your queries by echoing the query string before you run it so you can see what you are actually passing to the db engine.

Also, you do not need to evaluate Now(): MS SQL has internal version Getdate() so you can write the query using that.

So, just write it as you would do in a normal php file without worrying about quotes and slashes etc: except without any php tags. Then use Addslashes on it.

whobutsb

Thank you very much Roger! I really appreciate all the hints you gave me as well. I'm very new at web development so my coding isn't the most efficient or pretty, but it seems to get the job done.

I'm going to give your tips a try tomorrow morning. Thanks again for everything!

bradgrafelman

I know you marked this as resolved, but an easy way to do this might be something like this:

$data = <<<EOD
echo "This is a bunch of \"data\"!";
echo "It isn't going to break the SQL query!";
EOD;

$sql = "INSERT INTO ... VALUES ('" . mysql_real_escape_string($data) . "') ...";

Roger_Ramjet

bradgrafelman wrote:
I know you marked this as resolved, but an easy way to do this might be something like this:
$data = <<<EOD
echo "This is a bunch of \"data\"!";
echo "It isn't going to break the SQL query!";
EOD;

$sql = "INSERT INTO ... VALUES ('" . mysql_real_escape_string($data) . "') ...";

Except that is is MSSQL not mysql - otherwise we would have done this already🆒