I am attempting to auto-generate a form based on information in a Mysql database. Right now, one table stores information about the fields that are needed – the field type, maxlength, default value, etc.
A second table contains html / php code for displaying the proper form input, based on information retrieved from the previously mentioned table. Neither of these tables include any user-inputed data. In order to process and display this stored code, I have been trying to use php’s eval function. Although I’m not sure this is a good solution, the only alternative I could think of was to have dozens of one or two line files which are retrieved by using php’s include or using jquery to append the contents. The main reason I didn’t want to do this was to avoid having the dozens of extra files.
Here is the eval statement that I have so far
eval("\$code=\"$field[input_code]\";");echo"<td>$code</td>";
Here is a sample of one of the contents of $field[‘input_code’]
<input name='".$field['form_name']."'type='text'placeholder='".ucwords(str_replace('_',' ',$field['form_name']))."'".if($field['req']==1){echo"class='textvalreq'required";}else{echo"class='textval'";}.">
If
$field['input_code']contains an expression,will not work as php would try to do sth. like:
This would eventually end up as a valid string but if the variable contains quotes all hell will break loose.
I’m sorry. I don’t see a trivial solution to the problem other than not storing arbitrary code in a database and trying to
eval()it.Btw:
eval()is evil.