Re: php in database entry...



On Nov 21, 3:27 pm, <j...@xxxxxxxxxx> wrote:
In a database i have a field called extra_text
in which i store extra text... :-)

in my main php file i retrieve the field and i echo it ( echo $extra_text; )

everything ok till now... now i need in this field to have a php script to
retrieve some info from another field, so lets say that the content in
extra_text is  "blabla bla <? $sql="SELECT more_info FROM something";
.....?>
so, when i then echo $more_info i get... NOTHING...

On Nov 21, 3:27 pm, <j...@xxxxxxxxxx> wrote:
In a database i have a field called extra_text
in which i store extra text... :-)

in my main php file i retrieve the field and i echo it ( echo $extra_text; )

everything ok till now... now i need in this field to have a php script to
retrieve some info from another field, so lets say that the content in
extra_text is "blabla bla <? $sql="SELECT more_info FROM something";
.....?>
so, when i then echo $more_info i get... NOTHING...

When you are stuck with having to manipulate
strings of PHP code within your script, it is
usually a huge red flag, that the initial
design needs to be redone. If the strings
are externally generated, it is a gaping
security hole, and you are asking for your
machine to be trashed and no data is secure.

Even if the PHP containing strings are
generated in house, it is a big red flag that
the design is likely seriously flawed.
Regarding the particular snippet that you've
shown, it appears that you after doing an SQL
query, whose results you want to possibly
manipulate before dumping to the browser.
This, in and of itself, offers no motivation
for what it is doing in the so far
undescribed database.

Nevertheless, if after considerable review,
it is something you insist on, then what I
would do is to write out the string in
question to a temporary file, and then include
that file within your script.

Why that way instead of just a simple eval?
The reason is that this way you can use
php.exe to lint your proposed script to
ensure that it is syntactically valid (which,
actually, you could do anyway by surrounding
your eval with a try/catch) compiles, and
if it doesn't, you will have a clue as to
where it went wrong. More to the point, if
your script has no syntax errors but keels
over during execution, you will also have a
better indication as to where/how it failed.

Again, do not even think about using this or
eval flavours if the script is externally
submitted, and even if not, only use it as a
matter of last resort.

Csaba Gabor from Vienna
.