[ACCEPTED]-How do I execute PHP that is stored in a MySQL database?-mysql

Accepted answer
Score: 32

You can use the eval command for this. I would recommend against this though, because there's a lot of pitfalls using this approach. Debugging 9 is hard(er), it implies some security risks 8 (bad content in the DB gets executed, uh 7 oh).

See When is eval evil in php? for instance. Google for Eval is 6 Evil, and you'll find a lot of examples 5 why you should find another solution.

Addition: Another 4 good article with some references to exploits 3 is this blogpost. Refers to past vBulletin and phpMyAdmin 2 exploits which were caused by improper Eval 1 usage.

Score: 26


$x // your variable with the data from the DB
<?php echo eval("?>".$x."<?") ?>

Let me know, works great for me in 4 MANY applications, can't help but notice 3 that everyone is quick to say how bad it 2 is, but slow to actually help out with a 1 straight answer...

Score: 5

eval() function was covered in other responses 9 here. I agree you should limit use of eval unless 8 it is absolutely needed. Instead of having 7 PHP code in db you could have just a class 6 name that has method called, say, execute(). Whenever 5 you need to run your custom PHP code just 4 instantiate the class of name you just fetched 3 from db and run ->execute() on it. It is much cleaner 2 solution and gives you great field of flexibility 1 and improves site security significantly.

Score: 3

You can look at the eval function in PHP. It 3 allows you to run arbitrary PHP code. It 2 can be a huge security risk, though, and 1 is best avoided.

Score: 1

Have you considered using your Source Control 13 system to store different forks for the 12 various installations (and the modules that 11 differ among them)? That would be one of 10 several best practices for application configuration 9 I can think of. Yours is not an unusual 8 requirement, so it's a problem that's been 7 solved by others in the past; and storing 6 code in a database is one I think you'd 5 have a hard time finding reference to, or 4 being advised as a best practice.

Good thing 3 you posted the clarification. You've probably 2 unintentionally posed an answer in search 1 of a suitable question.

Score: 0

How I did this is to have a field in the 16 database that identified something unique 15 about the block of code needing to be executed. That 14 one word is in the file name of that code. I 13 put the strings together to point to the 12 php file to be included. example:

$lookFor = $row['page'];

include("resources/" . $lookFor . "Codebase.php");

In this 11 way even if a hacker could access you DB 10 he couldn't put malicious code straight 9 in there to be executed. He could perhaps 8 change the reference word, but unless he 7 could actually put a file directly onto 6 the server it would do him no good. If 5 he could put files directly onto the server, you're 4 sunk then anyway if he really wants to be 3 nasty. Just my two cents worth.

And yes, there 2 are reasons you would want to execute stored 1 code, but there are cons.

Score: 0

Read php code from database and save to 3 file with unique name and then include 2 file this easy way for run php code and 1 debug it.

$uniqid="tmp/".date("d-m-Y h-i-s").'_'.$Title."_".uniqid().".php";    
$file = fopen($uniqid,"w");
fwrite($file,"<?php \r\n ".$R['Body']);
// eval($R['Body']);
include $uniqid;

More Related questions