Home/ Questions/Q 889893
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T13:38:19+00:00

Im managing my web content a DB. When you hit a certian page, a

  • 0

Im managing my web content a DB. When you hit a certian page, a query is made to the db to return the content for that page. Usualy I just store static html as a string and when it’s returned from the db and placed into the webpage, it renders correctly. But now, some of the content actually contains php and when returned, the php is displayed as text. I looked in the eval() function but doesnt seem to work for me, or perhaps I’m using it wrong.

Here is and example of my code:

mysql_select_db("default_DB1", $con);

                $result = mysql_query("SELECT * FROM submenus WHERE active = '1' and menu_id='" . $_GET['article'] . "'");

    echo "<ul>\n";
                $counter = 1;
                while($row = mysql_fetch_array($result))
                {
                        echo "<li><a href=\"#tabs-" . $counter . "\" onclick=\"storySize('tabs-" . $counter . "');\">" . $row['submenu_name'] . "</a></li>\n";
                        $counter = $counter + 1;                    
                }
                echo "</ul>\n";

                $counter = 1;
                $result2 = mysql_query("SELECT * FROM submenus WHERE active = '1' AND menu_id='" . $_GET['article'] . "'");
                while($row2 = mysql_fetch_array($result2))
                {
                        echo "<div id=\"tabs-" . $counter . "\" style=\"height:100%; overflow:visible;\">" . str_replace("*#*","'",$row2['submenu_content']) . "</div>\n";                      
                        $counter = $counter + 1;
                }

                mysql_close($con);

Then the content returned is:

<table width="100%">
<tr>
<td align="right">Username: </td>
<td align="left"><input type="text" id="txtUsername" name="txtUsername" value=""></td>
</tr>
<tr>
<td align="right">Password: </td>
<td align="left"><input type="text" id="txtPassword" name="txtPassword" value=""></td>
</tr>
<tr>
<td>User Type</td><td><select id="ddlUserType" name="ddlUserType">

$con = mysql_connect("domain.com","username","pwd");
if (!$con)
  {
  die(#*#Could not connect: #*# . mysql_error());
  }

mysql_select_db("default_DB1", $con);

$result = mysql_query("SELECT * FROM user_types WHERE user_type_name <> #*#Admin#*# and active = #*#1#*#");

while($row = mysql_fetch_array($result))
  {
  echo "<option value=\"" . $row[#*#user_type_id#*#] . "\">" . $row[#*#user_type_name#*#] . "</option>";
  }

mysql_close($con);

</select></td>
</tr>
<tr>
<td align="right"></td>
<td align="left"><input type="button" id="txtReg" name="txtReg" value="Register" onclick="alert(*#*plaka*#*);"></td>
</tr>
</table>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First off, look at eval. The reason I suspect it’s not working, is that eval expects the code to start with php code (meaning it prepends an opening <?php. So it’s trying to execute the HTML as php. To solve, simply prepend your code with ?> prior to feeding it into eval()

    Secondly, this is generally considered very bad practice. It makes it less secure (since a SQL Injection vulnerability can actually affect the server rather than just the data) and harder to maintain (since your code now lives in two places).

    I would HIGHLY suggest finding another solution to your problem…

    • 0