dongzhuo3202 2013-08-11 03:59
浏览 65
已采纳

如果我在数据库中有php可以使用吗?

If I have php within my database can I use that. Specifically I have<?php echo $email; ?> with a column called content. On a protected page called user I call on the content column and spit out a page. Similar to a blog would within a while mysqli. When I look into my database though I see the function is actually the full <?php echo $email; ?> rather than the actual variable that was posted with a form.

Edit:

Also I'm looking within firebug to see what shows up for value within the form and it is indeed the full echo statement. The echo statement is pulled from the database as part of a stored form. Is this not good practice? If so how can this be done? Am I missing something??

Further info is that I am using mysqli escape string to input the data..

I've got a script that echos out the content for the page. In this case the content from the database is a form which includes a hidden field for email. This way I can tell whos posting to the database so that we can establish a connection.

Within the original page are active variables that are included on this particular page. I'm including in the form from the database a field like so:

<input type="hidden" id="email" value="<?php echo $email; ?>" />

Normally the echo would work, but I'm not sure why its not. That is why I ask if the fact that that input field is coming from the database has any bearing on it not echoing based on the variables already located within the page?

Further example for explanation:

<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM course ORDER BY id DESC";
$sql_page = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_page)){

 $email = $row["email"]; 
}
?>

Thats the email on the actual user.php page.....

Now the user.php also has an area for content..

<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM content ORDER BY id DESC LIMIT 1";
$sql_page = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_page)){

 $content = $row["content"]; 
}
?>

We'll say that the content looks like this...

    <form>
     <input type="hidden" id="email" value="<?php echo $email; ?>" />
//    
</form>

This also outputs on user.php notice that user.php does have $email....how are you saying to approach this? How else can I echo this?

  • 写回答

1条回答 默认 最新

  • duanfei1975 2013-08-11 04:34
    关注

    Based on the comments I'd say a quick answer is to check the linked article in my first comment. Yes the problem is your Form Output code is likely expecting data in a variable and not code. You need to eval() the variable in order to actually execute the code contained within. However this is not best practice.

    A better solution would be to just store the contents of $email in the DB and just send that to your form

    It's the difference between: 

    $x = '<php? echo $hello ?>';

$outstr= "<input type='hidden' value=' $x ' >";
//no this wont work unless you use eval($x)

    EDIT:

    Based on your explanation above with content, you may just need a way to ignore everything between the tags in content and replace it with the actual content? I'm assuming you can't change the db design...

    Two quick& dirty & perhaps unsafe thing you can try is:

    include("data:,$content");
//or
eval('?>'.$content.'<?');

    Or you can replace with regex:

    $phpTagPattern = "#<\?.*?(echo)\s+(\$\w+);.*?(\?>|$)#s";  //just searching specifically
                          //for <?php echo $varname; ?>  to replace with $varname;
$replacePattern = "$2"; // this may need some cleaning/debugging here. It's late...
$newContent = preg_replace($phpTagPattern,$replacePattern,$content);

    Then you're still going to have to parse_str to get the variable contents anyway...somewhat safer than executing code perhaps.

    echo parse_str($newContent); //should get you to actual contents of $email variable

    This all might be more easily achieved with the tokenizer extension: http://www.php.net/manual/en/tokenizer.examples.php You'd be searching for T_OPEN_TAG and T_CLOSE_TAG.

    For a high-level Better Way To Do This(TM) kind of explanation, it would make more sense to simply store your actual data in the database, and put the content into a templating engine like smarty. Then you create the shell of the form and just pass variables to it where needed. Keep data separate from logic, and output/formatting markup separate still.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 划分vlan后不通了
  • ¥15 GDI处理通道视频时总是带有白色锯齿
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)
  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大