current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

What I want to do is pull html and PHP code out from a database and then execute it. So for example I may have: 

<?php 
  $test = <<<END
    <p> <?php 
    echo time(); 
    ?> </p>
    END;
  echo $test;
?>

What I want is to get $test to print 

<p> 12:00PM </p>                  //right

instead of printing:

<p> <?php echo time(); ?> </p>    //wrong

as occurs when I use the echo function.

Please do not tell me how to do the same thing with JavaScript or other work around. Instead stick to the question and remember the example is just an example to demonstrate my problem. The actual code is much more complicated.

I have looked at Javascript string variable that contains PHP code but none of the answers work.

Thanks,

Brett

share|improve this question
2  
Curious to know though, why are you storing PHP code in a database? Is it some sort of template system? –  Ja͢ck May 14 '12 at 4:26
    
That is exactly it @Jack it is for a template for a web app. –  Brett May 14 '12 at 4:36
    
I see. Of course, because you use eval you won't get any speed-up from opcode caches either :) –  Ja͢ck May 14 '12 at 4:45
    
Sorry @Jack what are opcode caches? –  Brett May 14 '12 at 4:46
    
APC for instance: php.net/apc –  Ja͢ck May 14 '12 at 4:48

3 Answers 3

up vote 4 down vote accepted

You can use eval() for this

$test = <<<END
<p> <?php 
echo time(); 
?> </p>
END;


ob_start();
eval("?>$test");
$result = ob_get_clean();
share|improve this answer
1  
This is correct, but just a note... Sometimes you will have database html without php code & sometime with php code - so, any database html with php always start with ?> if its just html you don't need to start with ?> - then you can miss off the ?> from eval() –  RiquezJP May 14 '12 at 4:31
    
Nice one Chris! This works nicely. –  Brett May 14 '12 at 4:31
    
Thanks @RiquezJP that helps. –  Brett May 14 '12 at 4:36
up vote 3 down vote

I would strongly recommend against doing what you're asking to do. There are a number of very good reasons for this.

The answer to the question, as others have said, is to use eval(). However, eval() has several major issues with it.

Firstly, to follow-up from the comments on the question, code run through it is executed significantly slower than regular PHP code. Although PHP is a scripted language, it does have optimisations to make run faster. None of these optimisations work for an eval block, because the scripting engine can't know what the code will look like until it actually runs it.

Not only that, but loading the code from the database will also be slower than loading it from a file using a regular include() statement.

Secondly, eval() is one of the biggest security headaches you can have. An eval() statement will run any PHP code it is given, which means that an attacker can manipulate the code will be able to do anything on your server. In short, a single eval() statement in your code can turn a minor hack into a catastrophic one.

One alternative solution that doesn't involve changing your concept too much would be to save the PHP code to a file rather than the DB. This would allow you to simple include() it at the appropriate time, and would eliminate the speed issues discussed above. You could still use the DB to store it if you wished, and have it export to a cache file using a cron job or similar, or you could just save it directly to the file.

However, this solution wouldn't necessarily eliminate the security risks. You would still be running effectively arbitrary code, which would still mean that a hacker could do a lot of damage with a relatively simple hack.

I would therefore recommend re-thinking why you need to allow user-input PHP code to be entered into your software.

share|improve this answer
    
Thank you I really appreciate your response. You have clearly explained the problem and suggested a few solutions. I really wish more people responded as you have. Thanks so much. –  Brett May 15 '12 at 6:21
up vote 1 down vote

Something like this might be useful...

<?php echo writedata($code_to_parse); ?>

<?php
function writedata($data){
    if(substr($data,0,2)=="?>"){
        eval($data);
    // eval will run & echo the code immediately, so return an empty $code
    $code="";
}else{
    $code="$data";
}
return $code;
}
?>

Now you can handle either plain html & mixed php/html with one function call.

Sample data:

?>Bonjour. The time now is <?php echo $timenow; ?> in Paris.

<div class="bluebox">Perfect day for swimming</div>

There are some side effects using eval(), remember it will execute as soon as to call it, so can sometimes have unexpected results.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.