34

I'm trying to write a page that calls PHP that's stored in a MySQL database. The page that is stored in the MySQL database contains PHP (and HTML) code which I want to run on page load.

How could I go about doing this?

different
  • 2,343
  • 3
  • 24
  • 30
  • 11
    Thanks for this question. Contrary to many of the "answers" below, this is a good and useful one. There are many LEGIT uses where you'd want to store PHP commands in a DB. To say "don't do it" without knowing the circumstances is just arrogant. – Rid Iculous Mar 27 '13 at 02:34

7 Answers7

33

You can use the eval command for this. I would recommend against this though, because there's a lot of pitfalls using this approach. Debugging is hard(er), it implies some security risks (bad content in the DB gets executed, uh oh).

See When is eval evil in php? for instance. Google for Eval is Evil, and you'll find a lot of examples why you should find another solution.

Addition: Another good article with some references to exploits is this blogpost. Refers to past vBulletin and phpMyAdmin exploits which were caused by improper Eval usage.

Community
  • 1
  • 1
Erik van Brakel
  • 23,220
  • 2
  • 52
  • 66
  • excerpt from "Eval is evil": "Allowing any user-supplied data to go into an eval( ) call is asking to be hacked." - OK, what if I use my own code stored in DB and used e.g. for dynamic and rapid custom form generation? – Jeffz May 10 '13 at 14:38
  • @Jeffz you'd better be very sure that no bad code ends up in there then. Besides, why would you stick it in a database and not just in a few code files? – Erik van Brakel May 10 '13 at 16:36
  • both ways are good, if you know what you are doing; [A]. file based is safer (especially for fairly new to coding), [B]. db way is more versatile, if some on-the-flight changes to code are necessary as updating db is easier than updating, tweaking (whatever) content of a file – Jeffz Jul 07 '13 at 13:18
26

Easy:

$x // your variable with the data from the DB
<?php echo eval("?>".$x."<?") ?>

Let me know, works great for me in MANY applications, can't help but notice that everyone is quick to say how bad it is, but slow to actually help out with a straight answer...

dbr
  • 165,801
  • 69
  • 278
  • 343
  • 1
    I fixed your markdown - if you don't indent code four spaces, `` gets treated as an HTML tag and becomes hidden – dbr Feb 08 '10 at 02:37
  • 1
    +1 This solution is practically working. Just applying eval($x) is NOT solving the issue as its breaking the code at the "<" sign. So this answer solves the problem. Cheers to Gapp! – Devner Mar 14 '13 at 18:21
5

eval() function was covered in other responses here. I agree you should limit use of eval unless it is absolutely needed. Instead of having PHP code in db you could have just a class name that has method called, say, execute(). Whenever you need to run your custom PHP code just instantiate the class of name you just fetched from db and run ->execute() on it. It is much cleaner solution and gives you great field of flexibility and improves site security significantly.

Michał Niedźwiedzki
  • 12,859
  • 7
  • 45
  • 47
3

You can look at the eval function in PHP. It allows you to run arbitrary PHP code. It can be a huge security risk, though, and is best avoided.

Vegard Larsen
  • 12,827
  • 14
  • 59
  • 102
1

Have you considered using your Source Control system to store different forks for the various installations (and the modules that differ among them)? That would be one of several best practices for application configuration I can think of. Yours is not an unusual requirement, so it's a problem that's been solved by others in the past; and storing code in a database is one I think you'd have a hard time finding reference to, or being advised as a best practice.

Good thing you posted the clarification. You've probably unintentionally posed an answer in search of a suitable question.

dkretz
  • 37,399
  • 13
  • 80
  • 138
0

How I did this is to have a field in the database that identified something unique about the block of code needing to be executed. That one word is in the file name of that code. I put the strings together to point to the php file to be included. example:

$lookFor = $row['page'];

include("resources/" . $lookFor . "Codebase.php");

In this way even if a hacker could access you DB he couldn't put malicious code straight in there to be executed. He could perhaps change the reference word, but unless he could actually put a file directly onto the server it would do him no good. If he could put files directly onto the server, you're sunk then anyway if he really wants to be nasty. Just my two cents worth.

And yes, there are reasons you would want to execute stored code, but there are cons.

Machavity
  • 30,841
  • 27
  • 92
  • 100
Khaptin
  • 1
  • 1
    Your statement that this method of inclusion is safe even if a hacker could access your DB is incorrect. It is still vulnerable to several exploits including one known as "null byte poisoning" or "null byte injection" which can effectively remove (ignore) the ending of your string. See [here](https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/) and [here](http://webcache.googleusercontent.com/search?q=cache:www.madirish.net/401) for more details. – Justin Warkentin Dec 01 '14 at 05:29
0

Read php code from database and save to file with unique name and then include file this easy way for run php code and debug it.

$uniqid="tmp/".date("d-m-Y h-i-s").'_'.$Title."_".uniqid().".php";    
$file = fopen($uniqid,"w");
fwrite($file,"<?php \r\n ".$R['Body']);
fclose($file);                          
// eval($R['Body']);
include $uniqid;
ashkufaraz
  • 5,179
  • 6
  • 51
  • 82