Displaying PHP syntax in HTML source
In my CMS, I added this code <div><?php include("my_contact_form.php") ?></div>
which is updated to db. I see it there OK.
I have this php code in my display page after db call:
$content = $row['content'];
when I return $ content inside the body, this is displayed in the HTML source:
<div><?php include("my_contact_form.php") ?></div>
How is this possible? Why don't I show you my contact form? If anyone has any suggestions, I would be extremely grateful. Greetings.
An easy solution is to run eval () on your content.
$content = $row['content'];
eval("?>".$content."<?php");
The PHP closing tag and the PHP opening tag allow HTML and PHP to be inserted into the eval () statement.
About the choice of storing your PHP and DB vs Files.
Assuming your goal is to have PHP which can be edited by admins from the frontend and executed on your server.
You have two options:
Write PHP to files and include or exec () the files. Write PHP to DB and exec () or paste the content into files and include ().
If you are on a dedicated or VPS server, it is best to write to files. However, if you are using a shared system, then writing to the database is actually the safer choice. However, this is because you have to use a very secure system to query the database in order to eliminate all SQL injection possibilities.
The reason the DB is safer in a shared environment is because you need write access to the PHP process to the PHP files. Unfortunately, on "every" shared hosting setup, one PHP user runs on each account and thus has write access to the same PHP files. Thus, a malicious user simply has to register to host and land on the same physical computer as you, or use a different account to access yours.
With PHP stored in mysql, PHP cannot write mysql files since it has no privileges. This way you get safer code if you eliminate the possibility of SQL injection. Please note that if you have a writeable SQL injection vulnerability, you have also opened a remote code execution vulnerability.
Edit:
Sorry the correct syntax is:
eval("\r\n?>\r\n ".$php."\r\n<?php\r\n");
This has been tested quite extensively to work with every PHP config / setup.
source to share
It looks like you are storing PHP code in a database and expecting it to be executed when you echo it. This will not happen as the PHP interpreter is just text (not PHP code), so it will just echo.
You can force PHP to interpret (/ run) the code on your string using the eval () function , but it comes with a lot of security warnings.
Storing code in a database is rarely the right solution.
source to share
If you are using an existing CMS like Joomla, Drupal, etc.
CMS treats the text from the database as what it is - text. It will not execute the text, it will probably just pull a line from the DB and repeat it on the page. See Brenton Alker's answer for a better explanation.
If possible, it would be better to work within the functionality of the CMS and avoid hacking the CMS source for use eval()
. Depending on which CMS you are using, there might be a function (like a button in your editor or similar) to include code from another file.
Or maybe there is a function for creating "objects", "modules", regardless of what they want to call, which will allow you to put the code (like HTML) that you are trying to include in the "object" stored in the database, allowing you to include it on numerous pages. This would achieve the same goals as include()
in PHP (code reuse, elimination of duplicates, making changes in one place, etc.), but it would also save you to hack the CMS or start risking security.
If you have created your own CMS
you might want to create such a function. It all depends on your needs and the importance of security.
Ultimately, if you use eval()
, and if anyone hacks:
- Your DB
- CMS admin interface
then they can execute any PHP code on your server. And if your php.ini (which is insecure) is enabled exec()
then they will also be able to run whatever code they want on your server ... eeek!
source to share
Thanks for that - simple solutions are the best for me! Thanks for the additional information. Unfortunately eval () as you suppose it didn't work for me here. So plan C, I decided to create a tinymce picker template that has an iframe that calls the contact_form page and all the processing happens in the iframe. It works. Thanks everyone!