I have this code:
<!DOCTYPE html>
<html>
<?php require_once('./module/mod_head.php'); ?>
<body>
<?php require_once('./core/imp/navbar.inc.php'); ?>
<div class="container" style="margin-bottom: 50px;">
<?php include('./module/mod_preview.php'); ?>
</div>
<div class="container-fluid">
<?php include_once('./module/mod_block_whoami.php') ?>
<div class="collapse" id="summaryId">
<?php include_once('./module/mod_block_summary.php'); ?>
</div>
</div>
<?php require_once('./core/imp/footer.inc.php'); ?>
</body>
</html>
Now this code is saved in a database.
The problem is I want that code to be used as it would be the only code in my index.php file.
But as I said before it is saved in a database and to get that code I need to use php and then the code will be saved in an php variable and echoing that would be like:
<?php echo "<html><?php echo "<morehtml>blablabla</morehtml>"; ?></html>"; ?>
I thought of creating a temporary file that gets overwritten whith the code and then included by the index.php file or whatever file needs to get code from the database.
However I don't know if that is a good idea or if there are any better ways to get php code from an MySQL database and using it.
If you want to use php code from database, try eval (Evaluate a string as PHP code).
$sting // your variable with the data from the DB
<?=eval('?>' . $sting . '<?') ?>
But this is dangerous, from documentation:
"The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand."
PHP offers the eval($string) function. It runs the code in the string you pass it. So, it would be a simple matter to read code from a MySQL database and run it.
But, is this a good idea? Many people don't think so, because it makes it easy for a badguy to pwn your application.
Related
I am using ckeditor in a simple cms i build with the following configuration.
<script>
if ($("#editor").length) {
CKEDITOR.replace('editor', {
language: 'en',
allowedContent: true,
});
CKEDITOR.config.protectedSource.push(/<\?[\s\S]*?\?>/g);
}
</script>
It works great if go to the source tab on the editor and type some php code like the following:
<?php echo "hello"; ?>
it gets saved on the database as <?php echo "hello"; ?>
so far so good
Now my problem is when getting that from the database and displaying it on the browser it does no appear.
I did a var_dump on the variable that has the code and i see the following:
...modules\pages\views\base.php:38:string '<?php echo "hola"; ?>' (length=21)
So the value does exist and its reaching the view, i dont undestand why it is not showing up on the page.
the page is template.php
if i look at the source code my php code is beingg commented
<!--?php echo "hola"; ?-->
and this is how i am trying to display the code
if i do the following
<div class="article-content-container">
<?php echo $this->security->xss_clean($content); ?>
</div>
it is displayed like
<div class="article-content-container">
<?php echo "hola"; ?><!--?php echo "hola"; ?-->
</div>
if i displayed like this
<div class="article-content-container">
<?php echo $content; ?>
</div>
it gets commented.
I hope i was clear,any help would be appretiated.
Thanks guys-
Browsers don't interpret PHP code, and they don't know the slightest thing about it. They never have and they never will. PHP code is executed on the server; from there it produces some output that is echoed to the client's browser, usually HTML, but can also be CSS or JavaScript, images or other downloadable files.
If you output PHP code, the most the visitor can do with it is manually save it to a local file, install their own PHP software, and run it in that. It's never going to magically run in the browser, no matter what you do.
If you want to run some code in the browser, it must be JavaScript. If you want to run some PHP code on the server, don't echo it, eval it:
<div class="article-content-container">
<?php eval($content); ?>
</div>
Note that eval treats its input as already having a PHP open tag, so you would pass echo "hello"; to it rather than <?php echo "hello"; ?>. You can still use ?> within the eval'd code to drop back to HTML+PHP mode if you need to.
Either PHP or JavaScript code could trivially be designed to be hostile, and so submitting any markup or code for execution on your website must be treated as a privileged action. You must make sure not to allow anyone who is not an authenticated administrator of your website to do it. There are ways to sandbox or purify such code if you really have to allow random people to run it, but that is more complex. CodeIgniter's xss_clean is an incomplete attempt to stop XSS, and is certainly not designed for executing user-submitted code safely, although it will mangle code and make it annoying to write.
In general:
If you need to execute submitted PHP then use eval($content);.
If you need to output submitted HTML, which may include executable JavaScript, then use echo $content;.
If you need to output submitted plain text (which is the only form where it is normally safe to allow input from users), then use echo htmlspecialchars($content);.
If you don't save your php tags in the database, you could use eval() for running the saved code:
eval($this->security->xss_clean($content));
Only when the saved bit is not surrounded by <?php and/or ?>
EDIT: Letting people run code from a database or even saving code in a database is a potential risk. It could be exploited.
I have the following code that is within a file called footer.php
<section class="landing-form">
<form action="%TEMPLATE_DIRECORY_URI%/multipurpose-sliders-templates/slider11/landing-page-form.php" method="post">
<h2>%FORM_TITLE%</h2>
<p class="dsc">Enter your details below and we'll call you.</p>
I would like to include some PHP within the file, but when I add some it doesn't render. I'm not familiar with the %variable%. Is there any way to add PHP code to this type of file?
That looks like a mark up from ASP, not PHP. In order to do this in PHP do the following:
Create a new file to hold your variable. Name it var.php. In there:
<?php $formTitle = 'Whatever you want' ?>
In the HTML of your PHP page,
<? include 'var.php'; ?>
And in your HTML
<h2><? echo $formTitle ?></h2>
I must reiterate that this must be done in a PHP page on a server that is running PHP. This will not work with straight HTML. This will not work on a server that is not executing PHP.
But there you have a simple example how this is supposed to work.
Rookie here, so please correct me if I have anything wrong.
So here's a snippet of my HTML:
<html><body>
<h2>Home Page</h2>
Welcome back <?= $fgmembersite->UserFullName(); ?>!
</body></html>
The function, $fgmembersite->UserFullName(), returns a string (100%, if I call the function within tags it prints out correctly). How do I get it to echo out in the HTML?
I think an alternative would be to echo the entire HTML code, and I think it'd work then, but I don't want to do it that way because I read somewhere that echoing all of your HTML is bad. Could somebody also confirm/deny that?
Right now, this is what shows on the site:
Welcome back UserFullName(); ?>!
No idea why
Thanks for your time!
I think you want the code to look like this...
Welcome back <?php echo $fgmembersite->UserFullName(); ?>!
This will ECHO the result of the function call.
What you are seeing is the result of the browser trying to parse the PHP. It is trying to treat <?= $fgmembersite-> as an unknown tag and then renders the rest as text.
There are two possible reasons for this:
You need to pass it through a PHP engine first.
You need to access the file through a web server which supports PHP and is configured to run your file through PHP when it is requested (typically this is done by using a .php file extension).
Note that installing a web server then double clicking a PHP file in your file manager isn't sufficient - the browser will just load the file from the file system. You need to type http://etc etc.
It is also possible that you have short_open_tag disabled (which is common and sensible) and are using PHP 5.3 or older (which isn't a great idea, 5.3 is still supported but it is the oldest branch that is).
If this is the case, your options are:
Upgrade PHP
Use <?php echo ... ?> instead of <?= ... ?>
Enable short_open_tag
Can't you just do
<?php echo $fgmembersite->UserFullName(); ?>
?
use it as follows:
<html><body>
<h2>Home Page</h2>
Welcome back <?php echo $fgmembersite->UserFullName(); ?>!
</body></html>
Do you have short_open_tag enabled on your server? You need to have that enabled to use that syntax. If you don't have that, use <?php echo $fgmembersite->UserFullName(); ?> like the other users suggested.
You can check the setting on you server by creating a file containing <?php phpinfo(); in it, and accessing that.
Also, echoing all your HTML inside the <?php tags are considered a bad practice because you should separate your business logic and your HTML. Echoing HTML directly from inside the PHP tags quickly leads to a mix of HTML and PHP, and it will be harder to read (for others, and yourself later on)
I just learned how to include php .Here's the index or main php file
<!DOCTYPE HTML>
<html>
<head>
</head>
<body>
<?php include 'header.php'; ?>
</body>
</html>
now in header.php file which way is better to print html
Way 1 directly use html without php
<header>
<h1>Header</h1>
</header>
Way 2 Using php and echo
<?php
echo '
<header>
<h1>Header</h1>
</header>
'
?>
Another quick question. Will it work if I use .html for the base or index file ??
sorry for my bad english
Directly use HTML without PHP:
<header>
<h1>Header</h1>
</header>
As for your second question:
The file you're using include() in must have .php extension, but the file that's being included doesn't necessarily need the .php extension. The .html extension would work fine as well.
Just include the PHP file.
BTW, in case you haven't, read about this too:
Difference between require, include and require_once?
HTH.
you should use include_once ;-)
http://us2.php.net/manual/en/function.include-once.php
There are a few ways to go around it. Rather than echoing everything, I like to go like this:
<title><?php echo $title; ?></title>
Or if I have a nice block to work with, maybe within an if statement, I also like to go like this :
<?php if($weather = "sunny") { ?>
<div id="sunny">
<p>It's a beautiful day outside.</p>
</div>
<?php } // end if($weather = "sunny")
else { ?>
<div id="sunny">
<p>Today is yucky.</p>
</div>
<?php } ?>
The answer is sometimes different. If you use the same header on a lot of pages, use Way1. If you're only doing this in one place, you want to use Way 2 (or keep it in html), since it's more readable at quick glance to someone studying the page.
You can use .html for the file if you change the server config to tell it to look at it for php first, but you shouldn't do that, it just increases complexity and may have unintended consequences if you do it wrong.
Use .php or .phtml for files with any amount php in it. The only distinction you can make is to use .phtml files for files that are mostly html.
How can I replace the text on the active document body on a PHP file on code execution?
Do I have to import a file, replace text on it and then echo it or can I just manipulate the document I run the PHP script on?
I am trying to use templates for easier HTML editing like :usernamecomeshere: and then replacing that :usernamecomeshere: with the actual value. I am wondering If I can do it on one file only instead of loading a file and then displaying it.
If I'm getting your question correctly, you don't need to important a file and echo the document. You can directly manipulate the document itself. For example, in the below sample, you can directly echo the contents of $username in a way that's interspersed with HTML code.
index.php
<?php
// handle code to login
$username = "David";
?>
<html>
<body>
<p>Hello, your username is <?php echo $username ?></p>
</body>
</html>
Worth pointing out is that PHP itself is a templating engine. If you want to replace text, you can do it using PHP such as:
<?php
$user = 'Ugur';
?>
<html><head></head>
<body>
<h1>Hello <?php echo $user; ?></h1>
</body>
</html>
Beyond this sort of simple usage, you may want to look at various template engines, which allow you to do much more elegant things, but are more complex. Take a look at mustache, perhaps?
If you're trying to make these modifications after the page has loaded, remember that PHP runs on the server-side, not the user-side. For that, you need Javascript.
you'll want to look up str_replace() on google. You can search an entire string and replace specified keywords simply.