Re: PHP Code in Database

A safer alternative to eval() would be to store in the database the object name, the method and the arguments, so you can use call_user_func().

I highly recommend you to whitelists the allowed calls (that is, make a list of possible objects and methods that can be called).

I had a similar need once, but I stored code in XML. If you allow users to input code that will be run, you're allowing them to "mysql_query('DROP DATABASE BLABLA');" to say the least. 

Take care!

dfcp 

On Friday, August 10, 2012 5:20:36 AM UTC-3, Sanjeev Divekar wrote:

Hello,

I am developing CMS which need to execute some php code e.g. <?php echo $this->element('helpbox'); ?> which is stored in database.

I tried 

file_put_contents ('tempfile.tmp',$this->fetch('content'));

include('tempfile.tmp');

in layout which works

but any better Idea?

Regards,

--
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.