Get away from eval()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings, all.

Thanks to those who fielded my sql injection question yesterday. Enormously helpful.

On to eval().

I've got a PHP 4.3.xx and a MySQL 4.xx (sometimes 3.2xx) database that is the basis of a CMS. The story field of the content table sometimes holds PHP code that needs to be executed when it's called. Mostly simple forms, some includes, and the like.

For the life of me, I cannot figure out how to execute that code without using an eval() statement, and I'd like to avoid using eval() for security and overhead reasons.

A sample looks like this:
$query="SELECT * FROM $database.$stories where id='$sid';";
$result=mysql_query($query);
$numberofresults=mysql_num_rows($result);
for ($i=0; $i<$numberofresults; $i++)
{
$row=mysql_fetch_array ($result);
$body=($row['storycontent']);
echo ("<h1>".ucwords($hl)."<img src=\"image456.jpg\">");}
eval($body=$body);

This works, and the scripts execute. But there's always room for improvement.

I've read about using output buffers, but can't understand quite how that works. 

Any suggestions would be appreciated.

-V

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux