[RESOLVED] Since I got outstanding assistance the last time...

nine72

I was wondering...

IF I were to save this snippit of code to a mySql db

                                   <tr>
                                     <td class="style6"><div align="right">Device Model</div></td>
                                     <td class="style6">&nbsp;</td>
                                     <td class="style6"><select name="ttDevModHyp" style='font:8pt Verdanda, Arial, Helvetica, sans-serif; border:1 solid #FF9F9F;' onFocus="this.style.backgroundColor='#ffffCC'" onBlur="this.style.backgroundColor='#ffffff'">
                                         <?php print printTtDevHyp($_SESSION['ttDevModHyp']); ?>
                                       </select></td>
                                   </tr>

what is the edits needed to print this to a page between 2 php tags...

I have spent the better part of the weeked reading the "How to's" on the net but can not make sence of where the " and ' etc make a differance...

I have 600 of these sort of peices, once i can see how one sould be done I think I can get the rest of them...

Thanks In Advance.

bradgrafelman

Once you retrieved that code back from the DB, you'd have to [man]eval/man it to get it to actually evaluate the PHP code between the PHP tags.

EDIT:

nine72 wrote:
I have spent the better part of the weeked reading the "How to's" on the net but can not make sence of where the " and ' etc make a differance...

Are you talking about when INSERT'ing this data? You'd of course want to sanitize it, either using prepared queries or by running it through the [man]mysql_real_escape_string/man function - that'd take care of any quotes, line breaks, backslashes, etc. etc. for you.

nine72

Thank you, will read some more on the eval() and see if I can figure this one out...

Basically I am back to my form issue with a db this time.
I am looking to store some of the forms in the db and echo them to the body of a page to gather data and store in the db. These forms can be used over and over and over until the user has added as many contacts, hardware types etc as they wish before moving to the next form page...

I am making the call here...

<?php require_once('../Connections/XXXXXXXX.php'); 

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    

    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

mysql_select_db($database_XXXXXXX, $XXXXXXXX);
$query_Recordset1 = "SELECT XXXXXX FROM XXXXXXX WHERE XXXXXXX = 'XXXXXXXX'";
$Recordset1 = mysql_query($query_Recordset1, $jpbdweb) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

and then in the body...

echo $row_Recordset1['XXXXXXXX'];

What is happening is that none of the

value="<?php print printTtDevHyp($_SESSION['XXXXXXXX']); ?>"

that I am using for the vast number of drop downs etc are showing up. I get the selection box with no values. I have an include_once(); statement at the top of the page to trigger the page where the various arrays are held for the dropdown information....

I took this project after the developer that was working on it could never get a clean submission (after 2 years of him working on it). It has been a nightmare since I got it...This is not the kind of thing that the Art Director (me) usually does...haha...but all the other programmers here are C, C#, C++, TCL etc....PHP is the only language that I am halfway comfortable with to even attempt this with...So all the guidance and feed back is most helpful!

nine72

Ok, the use of eval() has been snuffed by my netsec team...no reason given they simply said "You can not do that...."

Any other thoughts.....any....anyone.....seriously.....

bradgrafelman

Is the PHP code always going to be something like "print function_name/B;" ?

nine72

about 1/3rd of the fields match that the rest are simple text fields where it is <? print $_SESSION['field_name']; ?>

bradgrafelman

You might consider making a mock template system, e.g. instead of <?php print $var; ?>, just do {:var_name:} and you could do a [man]preg_replace/man to load the appropriate variable.

Same for the function, you could do {:func_name:var_name:} or something similar.

nine72

Thanks for the replys and suguestions, bradgrafelman.

I had considered doing that a couple of months ago until I got further into the code of the project....I may not have a choice tho.

There are almost 4000 pages of scripts, includes, functions, ajax and on and on. While I can maintain that at least for the forms there are about 16 to 20 form pages, all or parts of the forms are replicated nearly 40 times by the access the user has....

It needs to be completely reworked, but that has not been accepted as an option by the people driving the over all project...

I have even gone as far as paying out of my own pocket to have some of it condensed and fixed but my funds for that have ran dry...So I am down to doing what I can...:queasy:

nine72

sorry, didn't mean to rant....

bradgrafelman

Then I would suggest you find out why eval() isn't being considered. Is the function itself disabled, I take it?

bpat1434

[man]eval/man is probably disabled because if someone were to add say...

phpinfo(); exit();

as the value of one of the inputs, and then purposefully fails the form validation, they could conceivably ascertain all the information about your system (what's installed, version of php, etc.). From there, they could easily do things like var_dump() or use Reflections to see what your code is doing, and eventually hack your code from the outside.

That's usually why it's left "off" or disabled in production environments. The only way to guarantee that it won't be mistreated is to have a select few functions that you'll allow, and if inside the eval'd code there are other functions, then don't allow it to be run.

It's a catch-22. On one hand you gain functionality, on the other, you expose a security risk. Most hosts will err on the side of caution and disable it (both for your and their protection).

I think your best bet will be to change the forms to use some type of templating system. Whether that means that you roll your own and use tags like:

<mySystem:input type="text" name="somename" value="_SESSION['somekey']" class="some_class" />

and then you parse it and display:

<input type="text" name="somename" value="I Was In The Session!" class="some_class" />

Or you could make it as simple as Brad said and use {:var_name:} and then do a str_replace() looking for all {🙁.*):} items and when you find it, replace it with $_SESSION items.

nine72

I have finished talking with the netsec guys here and bpat1434 is correct as to why I can not use it. Just the fact that there is the possibility that it could be used in that way it is not allowed.

At this point I am going to have to go and argue the point to them that to do what they need this to do, it is just not going to happen in the current configuration...

Thank you for all your input and assistance gentlemen, you have been most helpful.

If no other suguestions I will closes this thread in 24hrs.