Welcome Guest, Not a member yet? Register   Sign In
Parse PHP code from database
#1

[eluser]mvdg27[/eluser]
Hi,

Just a quick question: is there a smart way to parse some php-code that has been extracted from a database? To be more specific: I'm currently working on a simple CMS. Now I'm thinking of storing the HTML-content in a database, instead of separate files on disk. (This has been advised to me by others, if someone feels different about this approach, please let me know Smile)

Now I'd actually would like to be able to parse the code that has just been extracted from the db. E.g. load a view, or just parse some data through a foreach loop.

How would I go about this? Can someone share some insights on this?

Thanks!

Michiel
#2

[eluser]Jamie Rumbelow[/eluser]
I would use php's <a href="http://uk.php.net/manual/en/function.eval.php">eval()</a> function. Just pull the code from the db, and chuck it into that function in your view or something.

It's easy!
#3

[eluser]webthink[/eluser]
Yikes... be careful here. If any of this content is editable by users and you're executing it directly on the server you could be asking for trouble. Not inherently insecure... but if done wrong could be a nightmare... Just a heads up.
#4

[eluser]m4rw3r[/eluser]
You could use some kind of template engine, that has a limited functionality (to prevent users from doing stupid (unsecure) things).
#5

[eluser]webthink[/eluser]
Quote:You could use some kind of template engine
like views Wink


@OP
Perhaps if you mentioned why you want to store executable code along with your content it might help us to suggest the best approach.
#6

[eluser]mvdg27[/eluser]
Hi,

Thanks for the replies. Firstly, I always been told: eval() = evil() ..

Well, to explain a bit further: I'm working on a CMS. Basicly it no more than storing the menu-structure of a website and the content for each page. Now usually the content will be just plain html, inserted by a WYSISYWG-editor. But I'm thinking now that this might be limited in some cases. For example it would be nice if a user can insert a template file in the content, simply by adding a short piece of php-code. Or even more simpler, in the content a user might want to add the variable name of a user, which will be made available by CI.

For example, imagine a contact form. After submitting the contact form (handled by CI), usually a thank you page is displayed. Now I would like the thank you page to be created by the CMS-user. In that case is nice to be able to include the sender name in the thank you page, which is a variable that comes from CI. (Dear &lt;?=$sender_name?&gt;, thank you for contacting us .. etc.)

As you can see, it's still a little vague for me as well .. I'm not sure yet, what situations might occur. But I do know from past experience, that sometimes it's handy if you're allowed to insert at least some php code.

But perhaps it's bad practice to allow any php code in a CMS environment? Then the questions is, how do you guys handle these situations?

Thanks! Michiel
#7

[eluser]err403_love[/eluser]
Keep the templates HTML-only, but build a phrasing system such that a user can modify all the default phrases.

You'll need a phrases table with something like phraseid, variable (actual text you evaluate in the template), text, and possibly a column for the user and time it was modified. Taking it even further you could have a 'phrasetype' column (default/custom, keeping the originals in the DB for reverting to), a 'language' column for multilingual support, and so on.

Then in the templates it could appear, for example:
Code:
Dear &lt;?=$username?&gt;,
&lt;?=$confirmation_msg?&gt;
And instead of it actually parsing it as PHP, your app would use 1 query to grab all the phrases needed on that page and display them appropriately.

Of course, in the example above, your username needs to be dynamic, so you need some kind of a separation for the method in which the "phrases" are parsed.

So instead you could do:
Code:
Dear &lt;?=$username?&gt;,
&lt;?phrase=$confirmation_msg?&gt;
So anything in the normal PHP shorthand would be parsed correctly, and the "phrase" tags would be replaced with the associated phrase in the database.

This way you could also provide support for entire languages. Have somebody localize it, and then it becomes a simple SQL file that a person can upload in the admin section of their CMS.




Theme © iAndrew 2016 - Forum software by © MyBB