Storing actual PHP code

adamwhiles

I have a site that the purpose is for users to be able to submit php code for others to see or help with whatever. I am currently inserting the actual code into a mysql, I know this is not secure but I'm looking for the best way to do this. All I need it to do is store the php code, then be able to view that code w/ highlighting etc. on another page. It works for the most part as is right now, just looking for a better option than storing in a database.

Also, it seems like that when the code is pulled back out of mysql the formatting(indents) are a little off, any suggestions there?

BTW, this site is not live so I don't have any examples to show you. It just runs privately on my local test machine.

bradgrafelman

adamwhiles wrote:
I am currently inserting the actual code into a mysql, I know this is not secure but I'm looking for the best way to do this.

What do you see being insecure about doing this?

adamwhiles wrote:
It works for the most part as is right now, just looking for a better option than storing in a database.

What's wrong with storing it in a database?

adamwhiles wrote:
Also, it seems like that when the code is pulled back out of mysql the formatting(indents) are a little off, any suggestions there?

How are you outputting the whitespace? Are you converting it into HTML-equivalent entities, or leaving it as plain whitespace? In HTML, repeated whitespace is ignored (so "Hello World" will be displayed the same as "Hello World").

To preserve whitespace formatting, you might consider using something like the <pre> tag or equivalent CSS.

EDIT: Note that if you use something like [man]highlight_string/man to add syntax highlighting, whitespace is automatically preserved for you.

Weedpacket

The security issues that arise from storing PHP code in a database, especially user-supplied code - come when you proceed to execute that code on your server.

Since you're just treating it as text, and you won't actually be trying to run any of it, that isn't an issue in this case (the [man]highlight_string[/man] function bradgrafelman cites also escapes html entities at the same time, fortunately).