0

I am atm making a website where I'm storing all of my HTML based pages in a mysqli database, and I came to this problem where I couldn't execute my PHP code by using echo. So I found this solution where I had to use eval(); in order for my PHP code to run, I heard it could be really dangerous if you do not validate it correctly.

$firstname =  htmlspecialchars($mysqli->real_escape_string($row['firstname']));

So far this is how I have been validating it, would this be secure enough?

Note: that line of code is used when I request the information from the database, to be display on the page.

I'm sorry if I haven't explained myself well enough, I'm still new to this. :)

This is how i get my pages from the database.

<?php 
if (isset($_GET["page"]) && $_GET["page"] != null) {
    $query = "SELECT * FROM pages WHERE pagename = '$_GET[page]'"; 
    $result = $mysqli->query($query); 

    while ($row = $result->fetch_array(MYSQLI_ASSOC)){ 
        $pagetitle = $row["pagetitle"]; 
        $pagename = $row["pagename"]; 
        $pagecontent = $row["pagecontent"];
    }
} else {
    $query = "SELECT * FROM pages WHERE pagename = 'index.php'"; 
    $result = $mysqli->query($query); 

    while ($row = $result->fetch_array(MYSQLI_ASSOC)){ 
        $pagetitle = $row["pagetitle"]; 
        $pagename = $row["pagename"]; 
        $pagecontent = $row["pagecontent"];
    }
}
?>
Improve this question
6
  • 1
    That code just protects against SQL injection. If you're going to use eval with untrusted data, you need to run in a sandbox. Commented Dec 14, 2014 at 10:59
  • 2
    If Eval is your answer, you're asking the wrong questions Commented Dec 14, 2014 at 11:01
  • 1
    What’s wrong with storing PHP in files? Commented Dec 14, 2014 at 11:01
  • Mostly newbies think in terms of eval. Since it looks like you are indeed new to PHP, i would suggest that you forget that eval() exists (for a year or two at least, but most probable forever). That will instantly make you less of a newbie and will keep you from making some weird design choices - like storing php code in database ... :) Commented Dec 14, 2014 at 11:21
  • Database is about your data, not about code... You never really need to store your code in the database. Commented Dec 14, 2014 at 11:45

2 Answers 2

Reset to default
2

real_escape_string simply removes any characters that might be used for SQL injection. If you execute user input as PHP code you give your users the same possibilities you have in your php scripts. Including running system commands to remove all files from your server for example.

You don't want to be doing this. That particular case you are mentioning, can you elaborate on that? There is probably a better solution to your problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

My problem was that, all of my pages are in the databases. and i wanted to make a place where people can post feedback in one of my pages and i have to use php to make that possible, what could a solution be?
You should have a file called 'page.php' for example. A user navigates to page.php?id=123. You select the text for that page from your database ("(..) WHERE id=" . $mysqli->real_escape_string($_GET['id']) for example). This will just return your text on that page. The form for providing feedback is part of your page.php file. Handling the feedback is also done in the page.php file. You store the feedback itself in a separate table in your database and connect it to the right page by storing its page ID. This is just basic PHP. I would recommend searching for some tutorials before you proceed.
I didn't understand much of that, but i will try to store the pages in a file instead now, i've updated the post, so you can see the php code i used to get the pages from my database.
1

I'd just like to say that you're doing two things here that are generally considered bad practices.

  1. Storing code that will be executed in a database. (Always store code in text files, that way they're version controlled and also less vulnerable to sql attacks).
  2. Using eval().

Both are these are bad ideas and will almost certainly bite you in the ass at some point.

What is it that you're trying to do?

Improve this answer

3 Comments

Hmm so you say it would be better to have the pages, in a physical file?
@Athax I'm not certain how much experience you have with using a version control tool (like git) but if you haven't used one before I'd highly recommend it. You'll wonder how you ever got by without one before. There are only very rare edge cases where you would want to dynamically generate code, and for this reason (among others) you don't want to store executable code in a database. Also since database contents aren't version controlled, if you are using a version control system, storing your code in regular physical files guarantees your changes are always backed up.
I changed my website to have the files physical.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.