0

I'm completely lost at how to go about this, or even if it's even possible.

I want it so that what I have stored in the database, if it's PHP to be run.

For example, I have a table called content and a field called body.

That field called body contains "Testing 123 <?php echo "Testing 456"; ?>"

When I run the query, mysqli_query($con,"SELECT * FROM content") and echo out the body, $row[body] the page only gets "Testing 123" and if I view the source code I can physically see

<?php echo "Testing 456"; ?>

So is there a way to take what's in that field, and run the PHP if any exists in it?

Meno Hochschild
  • 42,708
  • 7
  • 104
  • 126
Staunton Allen
  • 77
  • 2
  • 11
  • Take notice that data from the database should be treated as user-input (as attackers often manage to inject their payload there). So what you ask for is something in the "Handle with care" and "Know what you do" domain (which is harder than we often think). – hakre May 20 '14 at 17:57
  • @hakre I often see people mention things like that, but I don't fully understand. In my case, I will be the only one manipulating the database. Is this still unsafe in my case, as people could hack into my database or unsafe because people may pass bad things into my database from a form? I don't have any pages anywhere on my site that allow things to be passed TO the database, so I'm not certain if it's unsafe in my case. – Staunton Allen May 20 '14 at 18:12
  • Well then not that likely as there isn't any input channel, however, the database can be changed for example as well from a commandline clients, so actually from a *different* application than yours. However as this is *more far away* (distance), it's often not that likely. However, if applications aren't isolated properly, this can (and does) happen as it's a common attack form as well (a sneak through the (open) backdoor is quite effective). – hakre May 20 '14 at 18:16

1 Answers1

0

You can execute it in two ways:

  1. use the eval('here comes the text you get from db') function.
  2. you can write the text to a file and then call the file.
yossi
  • 3,090
  • 7
  • 45
  • 65