is there a way of using PHP code stored in mysql after using php to retrieve it?

Question

My first post, and i am a little lost on how to get my question across to get to the solution i desire. so here goes nothing...

I have a content management site i am currently working on. This uses PHP to create pages and store the page contents in MySQL to be called back on the user facing site. A couple of things have come up that i require to use PHP to do within the page contents.

Is there a way i can use PHP to find the page content i have in the SQL database, and execute more PHP that is in that fetched page contents? or this just something i wish i could do and require another way round it?

My main thing is to create a "contact us" page that redirects to itself after sending the enquiry. the html content for the contact us form is kept in the database, and is found using page id's in GET requests.

i have tried to just adding the extra php code to the sql page content, however it just doesnt display anything inside the tags.

Has its uses if used properly https://www.php.net/manual/en/function.eval.php — AbraCadaver, May 08 '19 at 15:01
IMO you never need to store code in the DB - just add extra options for the PHP stuff — treyBake, May 08 '19 at 15:06
To begin with it was to create the links to other pages without having to "hard code" them. Been trying to think of a work around for a while, but coming up short all the time. I'm not new to programming, but PHP i have been working for a couple of months, just trying to improve the sites functionality, and add a few things — Matthew Jennison, May 08 '19 at 15:12
Links to pages how? Surely, just have a linked table and link them that way? — treyBake, May 08 '19 at 15:13

score 0 · Answer 1 · edited Jun 20 '20 at 09:12

0

It is not recommended but you can use eval() to execute PHP from a string.

Let's assume you get an answer $response from your db, containing the code to execute.

$response = $db->execute($query);
var_dump(eval($response));

This will dump the return value of the executed code (stored in $response).

It is not recommended to use it because it exposes your application to arbitrary code execution. you will need to (at least) sanitize $response's content.

edited Jun 20 '20 at 09:12

Community

1
1

answered May 08 '19 at 15:01

Chocorean

807
1
8
25

2

If you want this to look more like an answer than a comment, then add an example to your answer. – RiggsFolly May 08 '19 at 15:02
You linked the French docs – Someguywhocodes May 08 '19 at 15:02
And why _not recommended_? I have written several popular theme/template systems using it. – AbraCadaver May 08 '19 at 15:03
@AbraCadaver there are many many reasons - ofc it can be used safely, but it's far too easy to exploit and for a newbie, it would be better to just avoid all together (IMO) – treyBake May 08 '19 at 15:05
@treyBake Like databse queries, especially before prepared statements? Just avoid them? – AbraCadaver May 08 '19 at 15:07
@AbraCadaver I mean, just go for prepared statements, if tutorials and docs nowadays are using unprepared statements, I'd avoid it. – treyBake May 08 '19 at 15:07

is there a way of using PHP code stored in mysql after using php to retrieve it?

1 Answers1