0

I have a client that has a custom CMS. The HTML contact form page is stored on MySQL table. I need to modify the form and I need to add PHP and MySQL query to the form for populate Combobox with values stored on another table on same DB.

When I try to insert PHP code on that form (on the MySQL table) the php code does not render. For instance if I add

<?php echo "string"; ?>

in the middle of HTML code stored on DB field on browser is rendered:

<!--?php echo "string"; ?-->

so, not shown.

EDIT:

What I have on DB and need to modify is the following:

I have a form stored on DB and one of the inputs is a text-box. That need to be changed to a dropdown menu with the options being populated from one of the DB tables fields. Hence the need to have php and mysql query in the middle of HTML form...

Miguel Silva
  • 55
  • 2
  • 7
  • You really need to post code examples for anyone to diagnose and help you with this problem. – Alan Kael Ball Feb 06 '14 at 16:47
  • 5
    I mean this humbly, and without trying to come across as harsh, but this is a terrible idea. – Brian Warshaw Feb 06 '14 at 16:48
  • OP actually included code originally, but didn't properly format so it was not rendered as visible. – eebbesen Feb 06 '14 at 16:49
  • 1
    thats probably a feature of the custom CMS to not run php code from database field. – Volkan Ulukut Feb 06 '14 at 16:51
  • You'd need to rewrite the CMS so it treats the HTML in the database as a PHP program instead of as HTML data. – Quentin Feb 06 '14 at 16:51
  • This seems like you're running into input sanitation. For the record, is it that the contact form entries are stored into a MySQL table, or is it the actual HTML-and-whole-kit-and-caboodle stored into the database table? The former is fine, the latter is...not. I understand that that part may be outside your control, so to solve your problem, you might want to consider putting in JavaScript to populate the combobox values (using an AJAX call on another PHP file to send the values along to your page) – Chris Forrence Feb 06 '14 at 16:52
  • Instead of entering `` have you tried using just `echo "string";` ? PHP should parse that. – Funk Forty Niner Feb 06 '14 at 16:52
  • This is only really doable using eval(). By the way, never use eval(), because it's pure evil. http://blogs.msdn.com/b/ericlippert/archive/2003/11/01/53329.aspx (I know the link isn't for PHP but it applies to all languages with an equivalent to eval()) – GordonM Feb 06 '14 at 16:53
  • @Fred-ii- — If that works, then the result of running the code in the question would be much more likely to be the script falling over with an error instead of the PHP source code (or at least, that bit of it which is in the database) being sent to the browser. – Quentin Feb 06 '14 at 16:53
  • Then the CMS's setup stands at being the culprit. As already [stated by Volkan](http://stackoverflow.com/questions/21608922/store-php-code-on-mysql-and-get-it-to-run#comment32648502_21608922) @Quentin – Funk Forty Niner Feb 06 '14 at 16:56

2 Answers2

1

You need to modify the code that is outputting the content from the database, so that the contained PHP code is executed instead of just echoed. Check out the eval() function for this.

As has been stated in the comments: this is a pattern that is generally considered insecure. Anyone who can write into your database now has the possibility to get any PHP code executed on the server. See this question for detailed discussion of this: When is eval evil in php?

Community
  • 1
  • 1
pixelistik
  • 7,541
  • 3
  • 32
  • 42
0
$str = '<?php echo "string"; ?>'; // Your DB content

eval("?> $str <?php ");
Scherbius.com
  • 3,396
  • 4
  • 24
  • 44
  • 2
    Though its a bad practice to store php code in db and use it like that. Instead one should work with template engines like Smarty. – Scherbius.com Feb 06 '14 at 17:04