0

I have a series of articles in files that are included in dynamic pages. I would like delete all the files and put the content in a database.

However, some of the articles include PHP code. I was surprised to learn on a recent thread that you can put PHP code in a MySQL database table. However, I forgot to ask how to do it. Can someone show me how you would modify the following text (which includes an echo value and an include) so that it can be stored in a database table?

<p>Mammals and reptiles evolved from a common ancestor.</p>
<h3><a name="Internal" id="Internal"></a><?php echo $EvoHeader; ?></h3>
<?php require_once($BaseINC."/AContent/Child/Life/Features/Classification/Order/Mammals.php"); ?>
<p>Evolution continues today.</p>
  • 2
    Just because you can, doesn't mean you should. Code inside a DB is a pain to maintain. – Bill Feb 10 '14 at 21:04
  • You don't need to modify it at all to store it. You need to modify the code that inserts it into the page so it executes it. This is a horrible idea. – Quentin Feb 10 '14 at 21:04
  • 1
    php code is just data. like any other data, it can be put in a database. – Marc B Feb 10 '14 at 21:04

3 Answers3

2

PHP code is just ordinary text as far as the database is concerned.

The issue isn't putting it in some special format, but escaping it properly. The best way is to use prepared statements, via MySQLi or PDO. You can also use mysqli_real_escape_string().

Edit: Based on your comment, it sounds like you are doing something like this: get the code from the database, then echo it. You're right, that will result in it being output as text. You would have to execute it with eval() or something, which is a very bad idea. As others have pointed out, this is not an ideal way to store PHP code; it will be hard to maintain, open up some security problems, probably result in naming conflicts, and generally introduce more headaches than it resolves.

elixenide
  • 44,308
  • 16
  • 74
  • 100
  • That's what confused me - "escaping." I thought people meant you have to modify the PHP code with quotes, back slashes, etc. But if I understand correctly, you don't change the code at all; you simple "escape it" in your query. Is that correct? I recently converted all my queries to PDO, but I don't quite understand what else I have to do for PHP code to function. I inserted a PHP include in an article in my database right now, and it displays as regular code in the HTML. –  Feb 10 '14 at 21:17
  • 1
    @DavidBlomstrom, escaping it will be your smallest problem here, believe me. – Shomz Feb 10 '14 at 21:19
  • Please see my edit. @Shomz is right; this will be a bit of a nightmare. – elixenide Feb 10 '14 at 21:22
2

I see that nobody addresses how to run that code once you fetch it, but only how to escape it, etc... I don't think OP needs PHP snippets to show them on the page, but to run them.

If you want to run the PHP code after you fetch it from the database, you can use eval. But I strongly suggest you don't do it. There are millions of articles about it and why it's not safe. So, unless you're 110% sure you know what you're doing, don't do it.

However, since I doubt you'd need a dynamic code within a dynamic piece of code, I suggest you put the rendered version of every page into the database. This means that you take the output of each file, including whatever those php lines output (with their echoes and includes), and store it all together like that. If you still need some dynamic code within that (like maybe the logged user's name, or the current date, etc.), I'd suggest you add those after you fetch the data from the database, either by setting flags, making exceptions, whatever works.

The bottom line: use your database for content, settings, etc... do not use it for running code from it even though there are ways to do it.

Nice answers about eval: When is eval evil in php?

You might also find this topic interesting (no matter it's about Drupal): https://drupal.stackexchange.com/questions/70297/php-in-database-bad-practice-but

Community
  • 1
  • 1
Shomz
  • 37,421
  • 4
  • 57
  • 85
  • 1
    +1 Thanks, well explained. especially for : `I see that nobody addresses how to run that code once you fetch it` – Ali MasudianPour Feb 10 '14 at 21:16
  • 1
    You're welcome! Please be careful with how you handle this. Haha, yeah, people don't seem to be bothered to read the whole question nowadays... (oops, sorry, I thought you were the OP) :) – Shomz Feb 10 '14 at 21:17
  • 1
    +1 very nice explanation of why to avoid this whole scenario. – elixenide Feb 10 '14 at 21:23
  • OK, I guess I'd better bury this idea. There are some good comments to peruse here, like putting the rendered version of each page in the database. –  Feb 10 '14 at 21:25
1

If we forget that php code is only a text, and you just want not to save normal php code into your database, You can first serialize your php code, and then insert it into your database. While fetching your php code from database in future, you can unserialize it.

Ali MasudianPour
  • 14,329
  • 3
  • 60
  • 62