Re: php in database entry...



jbk@xxxxxxxxxx wrote:
? "Jerry Stuckle" <jstucklex@xxxxxxxxxxxxx> ?????? ??? ?????? news:hebf8t$3nu$2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
jbk@xxxxxxxxxx wrote:
? "Jerry Stuckle" <jstucklex@xxxxxxxxxxxxx> ?????? ??? ?????? news:he98tg$7fv$1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
jbk@xxxxxxxxxx wrote:
Hello there... i could need your knowledge here...


Problem:


In a database i have a field called extra_text
in which i store extra text... :-)


in my main php file i retrieve the field and i echo it ( echo $extra_text; )


everything ok till now... now i need in this field to have a php script to retrieve some info from another field, so lets say that the content in extra_text is "blabla bla <? $sql="SELECT more_info FROM something"; .....?>
so, when i then echo $more_info i get... NOTHING...


There is nothing wrong with my php since i have checked it as a seperated php file and it works normal...

So the problem must be that i echo the whole text with the php as a variable...

PleaSe help me out!

With regards JBK
First of all, it's a very bad idea to keep PHP (or any other script) code in a database. Along with being just a poor design, it is a huge security risk.

But you can't just echo the code and expect it to work. You need to execute the text with eval().

But you are much better off creating a proper design for both your code and your database.

I was sure that it is not a good idea... but
i have 10.000 entries and i currently need it for only 1!
i mean its no big deal....

So you thing, that instead of echo $extra_text i must use eval?

Thanx in advance!
JBK



(Top posting fixed)

Yes, you must eval() the code. And yes, it would be a big deal. Virtually ANY time you need to use eval(), you have a design problem. And EVERY time you use it, you have a huge security hole.

You really should find some other way to do what you want - like setting a flag in your database, for instance.

P.S. Please don't top post. Thanks.

> sorry... wasnt intended...
>
> Thanx for your (really) quick answers!
>
> I have to go against the 'right' things right now because i have a time
> limit which was... yesterday...
> Since i am the onlyone populating the database, it wont be such a great
> problem(i guess)...
> New problem...
>
> I am trying to use eval but... i only get the names of the variables... can
> you help me out????
>
> parent php:
>
> blabla bla
>
> $sql = "SELECT extra_text FROM somewhere where id=123";
> //$what = mysql_query($sql);
> $results = mysql_query($sql);
> while ($row = mysql_fetch_array($results)) {
> extract($row);
>
> }
> $sql9 = "SELECT more_info FROM venzinadika WHERE ven_id=123";
> $reesults9 = mysql_query($sql9);
> while ($reaow9 = mysql_fetch_array($reesults9)) {
> extract($reaow9); }
>
>
> bla bla....
>
> eval("\$extra_text = \"$extra_text\";");
> echo $extra_text;
>
>
> So IN the db i have this:
> <table width="95%" border="0" cellspacing="2" cellpadding="2">
> <tr>
> <td>???????? 95</td>
> <td>$more_info</td>
> </tr>
> <tr>
> <td>Super</td>
> <td></td>
> </tr>
> <tr>
> <td>???????? 100</td>
> <td>&#8364;</td>
> </tr>
> <tr>
> <td>????????? ???????</td>
> <td>&#8364;</td>
> </tr>
> <tr>
> <td>????????? ?????????</td>
> <td>&#8364;</td>
> </tr>
> </table>
>
>
>
> BUT as i said, i only get the name of the variable...
>
> It might sound stupid and/or easy.. but i am stuck...
>
> Thanx in advance!
>
>

(top posting fixed again)

Being late is even more reason not to do it this way. And whether you are the only one to update the database or not, this is a huge security concern.

Do it right. Set a flag in the database (create a new column if you must) and test for the flag in your code. Had you done this in the first place, you would have been done hours ago.

And once again - PLEASE DON'T TOP POST!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.