stackoom
  简体   繁体   中英

Using eval(); to execute php direct from the database

 原文  2014-12-14 10:58:15       php/ mysql/ mysqli/ eval

Question

I am atm making a website where I'm storing all of my HTML based pages in a mysqli database , and I came to this problem where I couldn't execute my PHP code by using echo . So I found this solution where I had to use eval(); in order for my PHP code to run, I heard it could be really dangerous if you do not validate it correctly. 

$firstname =  htmlspecialchars($mysqli->real_escape_string($row['firstname']));

So far this is how I have been validating it, would this be secure enough?

Note: that line of code is used when I request the information from the database, to be display on the page.

I'm sorry if I haven't explained myself well enough, I'm still new to this. :)

This is how i get my pages from the database. 

<?php 
if (isset($_GET["page"]) && $_GET["page"] != null) {
    $query = "SELECT * FROM pages WHERE pagename = '$_GET[page]'"; 
    $result = $mysqli->query($query); 

    while ($row = $result->fetch_array(MYSQLI_ASSOC)){ 
        $pagetitle = $row["pagetitle"]; 
        $pagename = $row["pagename"]; 
        $pagecontent = $row["pagecontent"];
    }
} else {
    $query = "SELECT * FROM pages WHERE pagename = 'index.php'"; 
    $result = $mysqli->query($query); 

    while ($row = $result->fetch_array(MYSQLI_ASSOC)){ 
        $pagetitle = $row["pagetitle"]; 
        $pagename = $row["pagename"]; 
        $pagecontent = $row["pagecontent"];
    }
}
?>

2 answers

solution1
 2  2014-12-14 11:22:22

real_escape_string simply removes any characters that might be used for SQL injection. If you execute user input as PHP code you give your users the same possibilities you have in your php scripts. Including running system commands to remove all files from your server for example.

You don't want to be doing this. That particular case you are mentioning, can you elaborate on that? There is probably a better solution to your problem.

solution2
 1 ACCPTED  2014-12-14 11:37:32

I'd just like to say that you're doing two things here that are generally considered bad practices.

  1. Storing code that will be executed in a database. (Always store code in text files, that way they're version controlled and also less vulnerable to sql attacks).
  2. Using eval().

Both are these are bad ideas and will almost certainly bite you in the ass at some point.

What is it that you're trying to do?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question run php script from database record without using eval() Using eval() to execute string of PHP that contains SimpleHTML PHP eval() code in between <?php ?> from database Execute string in JS from php file, setTimeout vs eval() save image to database in php direct from a url how to execute php from a database? Run PHP code collected from database - Without Eval Using PHP eval() in if statement Using eval in PHP Using PHP Tags in eval()
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM