The security danger comes from someone calling things like
site_domain/page.php?var=url_encoded_code_here
which will then execute all the code...
Of course you can before getting the code from the database, clear the
var and later check for it's size...
Cheers,
Luis Ferro
TelaDigital
Michael Virnstein wrote:
>eval ('?>'.$var.'<?php');
>if you want to eval usual php scripts.
>(We close the ?> then comes the content of the php script which also can
>contain
> html and then we reopen <?php again)
>
>So if you have a file:
><?php
>include('test.php');
>?>
>
>and you say
>$var = "<?php include('test.php'); ?>";
>
>you'll result in
>
>...
>eval("?><?php include('test.php'); ?><?php");
>
>which will evaluate normally.
>
>Regards Michael
>
>
>"Peter" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>
>>Hi.
>>I'm changing my website to one based on My-SQL which will help with
>>organization and searching etc. Hopefully, the code for all the pages will
>>be stored in the database too.
>>However, I cannot get PHP to parse / execute the code stored in the
>>database. The script
>>
>>$query = mysql_query("SELECT * FROM pages", $link);
>>$result = mysql_fetch_array($query);
>>print $result['4'];
>>
>>gets the content of the page (column 4 of the database) but displays
>>
>>include("common/counter.php"); include("common/navbar.php");
>>
>>to the screen instead of opening and including these two files in the
>>output.
>>
>>Is there something I need to do to the result to make it executable? Might
>>
>>
>I
>
>
>>need a \n between the two lines of code?
>>
>>I'm using Win 98, Apache 1.3.19, PHP 4.2.0 and MySQL but I'm not sure
>>
>>
>which
>
>
>>version! (fairly recent though)
>>
>>
>>
>>
>
>
>
>
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
