SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2010
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best approach to fields that need to contain and run PHP code?

    Hi,

    I am curious to hear the thoughts of the SitePoint community about the use of the eval() function in dynamic content management systems? Or are there other approaches to allow content inside of a content management system be rendered as PHP? What, in your opinion, is the most secure way to handle this?


  2. #2
    SitePoint Wizard wheeler's Avatar
    Join Date
    Mar 2006
    Location
    Gold Coast, Australia
    Posts
    1,369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what kinds of content are you referring to?

    Say for example if you had loop data, you could use bbcode or have your own simple templating like:

    {show_item_table}

    then do a string replace.

    Using eval would be the last (if at all) option in a production environment.
    Studiotime - Time Management for Web Developers
    to-do's, messages, invoicing, reporting - 30 day free trial!
    Thomas Multimedia Web Development

  3. #3
    SitePoint Enthusiast
    Join Date
    Mar 2010
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am really referring to any type of dynamically generated PHP content. For example, querying the database and displaying the results via a while() or foreach() loop, if{} constructs, etc. Right now, in order to ensure that this type of code can be executed, I run the main body of each page in my content management system through the eval method. I realize that this is extremely insecure and am looking for alternatives.

  4. #4
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Have you looked into how other frameworks, templating engines or CMSs do this?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  5. #5
    SitePoint Zealot romance's Avatar
    Join Date
    Apr 2004
    Location
    UK
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd just go a step further and implement an existing templating engine such as http://phptal.org into my code rather than try and re-invent the wheel.

    There's nothing worse than having to learn new syntax just to achieve a simple goal of looping an object.

  6. #6
    SitePoint Evangelist
    Join Date
    Aug 2005
    Location
    Winnipeg
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Drupal and other CMS often allow execution of arbitrary PHP. The short answer is, there is no safe way to execute arbitrary PHP code except to limit the users allowed to update the said PHP code.

    The long answer is, you could tokenize and parse your source code and check and trigger errors when something fishy is being done (file acceess, etc).

    Cheers,
    Alex
    The only constant in software is change itself


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •