Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Aug 2010
    Posts
    24
    Thanks
    5
    Thanked 0 Times in 0 Posts

    executing PHP within user-supplied content

    i'm creating a small app for someone who wants to control the content of each page from a DB.

    effectively it'd be a template file with header, footer, etc all pre-built, and the content area supplied from a TEXT field in a MySQL table - basically the same idea wordpress uses.

    this is all fine, but a couple pages would require some php - e.g., a list of events or users or articles, whatever, that are managed in different tables.

    i can do this with eval - something like:

    Code:
    function render_content($string) {
    	ob_start();
    	eval("?>$string<?php ");
    	$returns = ob_get_contents();
    	ob_end_clean();
    	return $returns;
    }
    but i wonder if there's a better way. i can probably limit whatever code needs to be executed in include files, so i thought maybe include some arbitrary tag and use regexp to parse it out... maybe modeled after a conditional comment, e.g.,

    Code:
    <!--[include]some-file.inc.php-->
    // or even...
    <include>some-file.inc.php</include>
    but, again, not thrilled with the approach, and wondered if anyone had a better idea.

    i should probably mention that it's not going to be a "content or include" setup - it probably won't be one or the other, exclusively, and is likely to be a mix on those pages that require it - the php might need to appear before, after, or in the middle of whatever arbitrary markup the user happens to supply, e.g.

    Code:
    <h1>This is a list of stuff</h1>
    <p>Some explanation lorem ipsum dolor sit ahmet.</p>
    <?php include('some-file.inc.php'); ?>
    <em>But this caveat applies to the above list.</em>
    <div>
      Something totally unrelated.
      <img src="pic.jpg" />
    </div>
    not sure I explained that very well, but hopefully the concept comes across.

    TYIA

  • #2
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Personally, I'd go with the regex/include option. There's never a valid reason for using eval, in my book. Things that you should do:

    1) Create a a custom function for parsing and executing the include. Pass your extracted filename to that function and parse the string within the function so that you end up with a filename alone, and then include that file from a specified directory. Don't allow ../ or such in the filename, under any circumstances.

    2) Only parse and include that file if the editing user is logged in and of a specified user level. If they're not, parse and discard the include for the content.

    3) Don't allow direct PHP code within the content. Rather than doing as in your example above, do something like:

    Code:
    <h1>This is a list of stuff</h1>
    <p>Some explanation lorem ipsum dolor sit ahmet.</p>
    file_include('some-file.inc.php')
    <em>But this caveat applies to the above list.</em>
    <div>
      Something totally unrelated.
      <img src="pic.jpg" />
    </div>
    You have something which you can easily parse for and don't need to allow direct execution of PHP code. Simple answer is to be completely anal in what you accept, and discard anything which doesn't fit the bill.
    Last edited by MattF; 11-09-2010 at 03:27 PM.

  • Users who have thanked MattF for this post:

    big-momo (11-09-2010)

  • #3
    New Coder
    Join Date
    Aug 2010
    Posts
    24
    Thanks
    5
    Thanked 0 Times in 0 Posts
    that helps. thanks


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •