Posted by "Josh McDonald" on 10/31/05 08:04

Keep in mind, eval()ing code you pull from the database will also raise the
damage from a SQL injection attack or similar from a PITA
restore-your-database to a much bigger PITA format-webserver.

-Josh

--

My name was Brian McGee
I stayed up listening to Queen
When I was seventeen

Josh 'G-Funk' McDonald :: Pirion Systems, Brisbane

07 3257 0490 :: 0437 221 380 :: josh@gfunk007.com


-----Original Message-----
From: Richard Lynch [mailto:ceo@l-i-e.com]
Sent: Monday, 31 October 2005 3:57 PM
To: John Taylor-Johnston
Cc: php-general@lists.php.net; Jasper Bryant-Greene
Subject: Re: [PHP] eval();

On Sun, October 30, 2005 8:51 pm, John Taylor-Johnston wrote:
> eval( " ?> $contents <?php " );
>
>>However, if eval() is the answer, you're probably asking the wrong
>>question. You should take a hard look at your code and think of a
>>better way to do what you need to do.
>>
>>
> Back to the drawing board? It is either store my html+embedded code in
> a mysql record, or in an html file, which means playing with fopen.
> It's easier to hand tweak in phpmyadmin.
> Nonetheless, even though your test code worked (thanks!) this doesn't.
> Sigh.
>
> if ($contents = displaynew()){
echo "CONTENTS:<pre>", htmlentities($contents), "</pre>\n"; eval( " ?>
$contents <?php " ); }

I'm guessing $contents ain't what you think.


>
> function displaynew()
> {
> $file = basename($_SERVER['PHP_SELF']);
> require 'connect.inc';
> $sql = "SELECT HTML FROM `$db`.`$table_editor` WHERE `Filename`
> LIKE '".addslashes($file)."' LIMIT 1;";
> if ($myquery = mysql_query($sql) and mysql_num_rows($myquery) > 0)

This 'and' should probably be '&&' ...

Though I never really used 'and' enough to know for sure.

At any rate, you've got *NO* error-checking for an invalid query here.

> {
> $mydata = mysql_fetch_array($myquery, MYSQL_NUM);
> return $mydata[0];
> }
> return false;
> }


--
Like Music?
http://l-i-e.com/artists.htm

--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

• Next in forum: Re: [PHP] Type of form element
• Prev in forum: Re: [PHP] eval();
• Thread view: RE: [PHP] eval();

[Reply to this message]