execute php code contained in a mysql database

Is it possible for me to execute php code contained in a mysql db from another script?

For instance, if i store the code include("test/test.php"); in a mysql database, can i then use a script to pull the data from the database and execute that code?

thanks.
linuxroxAsked:
Who is Participating?
 
jdpipeConnect With a Mentor Commented:
I think it would be quicker to use a template engine like Smarty, rather than this bespoke thing.
http://smarty.php.net

It will take you a couple of hours to work out how to use it, but after that you'll be cooking with gas

JP
0
 
snoyes_jwCommented:
Yes.  Check out the eval() function.
http://www.php.net/manual/en/function.eval.php
0
 
punkstarCommented:
yes, as snoyes said, use the eval function.

1.) You need to create the mysql connection with mysql_connect();
2.) Write your SQL and query the database with mysql_query();
3.) Parse your result with the eval(); function.

for example.

<?php
$connect = mysql_connect("server,"username","password");
mysql_select_db("mydatabase",$connect);

$sql = "SELECT * FROM `invcludes_table` WHERE `id` = "'.$_GET['id']."' LIMIT 1";
$dosql = mysql_query($sql,$connect);
$return = mysql_fetch_array($dosql);

eval($return['php_code']);
?>

...should work.  the security in that script is terrible, so dont use it.

Hope that answers your question!
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
virmaiorCommented:
of course a good caveat is that this is a rather slow way of executing code... (at least it has proven to be so on Windows XP, can't answer for other PHP setups).

the main reason for this penalty is that the "compiler" can't do anything to your eval'd code.
avoid this function if it all possible.
0
 
linuxroxAuthor Commented:
ahh, good deal.  why is the security bad in that script?
0
 
PromethylCommented:
Just store the filenames in the database, and include them in your script using require() or include().
0
 
virmaiorCommented:
because it is working directly from a $_GET variable and doesn't check for any rights, etc.
0
 
linuxroxAuthor Commented:
well, what i have is this.  i have an html editor with a template.  this template has a set of comments such as <!--insertcode--><!--endcode-->
the script finds those comments and based upon what the comments are it needs to store some php code in the database to be executed later when pulled from another script.  the idea is having different dynamic content based upon which html comments are found.  i have one main script that pulls data from the database and displays stories etc etc.  i would like it to find the code in the database and execute it.
0
 
PromethylCommented:
Ah.

Eval() is your man then.
0
 
dougdayCommented:
I agree with JD.  If you're heading in that kind of direction Smarty is a much much better solution.  And you can still use your database to store your templates.
-Doug
0
 
dougdayCommented:
Er, JP I mean ;)
0
 
jdpipeCommented:
Yeah, storing PHP code in your database would be generally considered to be very poor design.
The idea of your database is that it should contain all the stuff that's NOT the code of your site. User details, page TEXT, navigation hierarchy, etc, but not the code that determines how those things are presented.
JP
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.