1

I have a field in a database which contains the value :

<p><!--? echo get_block(\'contact\');?--><?php echo get_block('home-page'); ?></p>

When I am fetching the record in the front end, it just shows the output as a string:

echo $var = html_entity_decode(stripslashes($row_content_list["content"]));

Output 

"<?php echo get_block('home-page');?>"

I want it to act as a PHP script.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
  • why are you storing php in the db? - It is almost always a bad idea –  Aug 29 '12 at 10:00
  • Why are you storing HTML with embedded PHP code in an HTML entity encoded form with added slashes in the database?! It's mind bogglingly terrible! – deceze Aug 29 '12 at 10:00
  • ^^ i was to scared to mention the other issues :-) –  Aug 29 '12 at 10:01
  • You shouldn't store PHP in the database. If you really wanted to though I guess you could use the eval() function but this is always HIGHLY discouraged. – DerekIsBusy Aug 29 '12 at 10:01
  • the simple solution is to eval($var) it. but thats ugly and unsecure. why has the database those values in the first place? can you change the database to hold real values without code? – Jan Prieser Aug 29 '12 at 10:01
  • And technically eval() won't work with the tags in place. – DerekIsBusy Aug 29 '12 at 10:05
  • Y have you asked the same question multiple times? http://stackoverflow.com/questions/12173473/echo-a-string-in-php-that-contains-or-php-and-a-php-function – Keval Domadia Aug 29 '12 at 10:13
  • If that had been the case the answers wouldn't be different . Anyways read it carefully the questions are different. –  Aug 29 '12 at 10:16

3 Answers3

0

You cannot add it as a PHP script.

PHP = Server-side language, it PROCESSES your given commands and throws an HTML output. (ofc with errors at times) You cannot re-process an already processed output.

Once you fetch from database it is processed already. Secondly, you cannot echo and expected PHP function to be executed. because ECHO itself is a php (system) thing.

You might want to re-strategize your approach.

EDIT: Don't use eval. Especially when things are coming out from database unless and until you are SUPER SURE about your data sanitization.

Keval Domadia
  • 4,768
  • 1
  • 37
  • 64
0

Create .php file like this $filename = 'script.php'

$openedFile = fopen($fileName, 'w') or die("can't open file");      
        fwrite($openedFile, $var);      
        fclose($openedFile);

write there your $var and then include it...It could work :) but still not secure

divide by zero
  • 2,340
  • 5
  • 23
  • 34
  • 2
    **+1** ... This is the only way I can think of to make this work, despite the fact that it is **NOT RECOMMENDED**, and also **MAY PUT YOUR ENTIRE SERVER AT RISK**. On the other hand, more stuff like this means more work for skilled consultants, so I guess we shouldn't make too much of a fuss... – ghoti Aug 29 '12 at 11:29
  • How's that different from `eval`, besides the fact that it's much slower and messier? – deceze Aug 29 '12 at 12:23
  • for `eval` The code mustn't be wrapped in opening and closing PHP tags, i.e. 'echo "Hi!";' must be passed instead of ' echo "Hi!"; >'. – divide by zero Aug 29 '12 at 12:25
  • Well, it's really not hard to work around that: `eval("?>$code – deceze Aug 29 '12 at 12:46
  • OK, make that [`eval("?>$code – deceze Aug 29 '12 at 12:53
0

You should try eval() function ,it accept's a string and reflect's PHP from it.

The only thing to mention is ,you should remove <?php ?> tag's.

$var= html_entity_decode(stripslashes($row_content_list["content"]));
eval($var);
Rosmarine Popcorn
  • 10,761
  • 11
  • 59
  • 89