dongzhuo3202 2013-08-11 03:59
浏览 65
已采纳

如果我在数据库中有php可以使用吗?

If I have php within my database can I use that. Specifically I have<?php echo $email; ?> with a column called content. On a protected page called user I call on the content column and spit out a page. Similar to a blog would within a while mysqli. When I look into my database though I see the function is actually the full <?php echo $email; ?> rather than the actual variable that was posted with a form.

Edit:

Also I'm looking within firebug to see what shows up for value within the form and it is indeed the full echo statement. The echo statement is pulled from the database as part of a stored form. Is this not good practice? If so how can this be done? Am I missing something??

Further info is that I am using mysqli escape string to input the data..

I've got a script that echos out the content for the page. In this case the content from the database is a form which includes a hidden field for email. This way I can tell whos posting to the database so that we can establish a connection.

Within the original page are active variables that are included on this particular page. I'm including in the form from the database a field like so:

<input type="hidden" id="email" value="<?php echo $email; ?>" />

Normally the echo would work, but I'm not sure why its not. That is why I ask if the fact that that input field is coming from the database has any bearing on it not echoing based on the variables already located within the page?

Further example for explanation:

<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM course ORDER BY id DESC";
$sql_page = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_page)){

 $email = $row["email"]; 
}
?>

Thats the email on the actual user.php page.....

Now the user.php also has an area for content..

<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM content ORDER BY id DESC LIMIT 1";
$sql_page = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_page)){

 $content = $row["content"]; 
}
?>

We'll say that the content looks like this...

    <form>
     <input type="hidden" id="email" value="<?php echo $email; ?>" />
//    
</form>

This also outputs on user.php notice that user.php does have $email....how are you saying to approach this? How else can I echo this?

  • 写回答

1条回答 默认 最新

  • duanfei1975 2013-08-11 04:34
    关注

    Based on the comments I'd say a quick answer is to check the linked article in my first comment. Yes the problem is your Form Output code is likely expecting data in a variable and not code. You need to eval() the variable in order to actually execute the code contained within. However this is not best practice.

    A better solution would be to just store the contents of $email in the DB and just send that to your form

    It's the difference between: 

    $x = '<php? echo $hello ?>';

$outstr= "<input type='hidden' value=' $x ' >";
//no this wont work unless you use eval($x)

    EDIT:

    Based on your explanation above with content, you may just need a way to ignore everything between the tags in content and replace it with the actual content? I'm assuming you can't change the db design...

    Two quick& dirty & perhaps unsafe thing you can try is:

    include("data:,$content");
//or
eval('?>'.$content.'<?');

    Or you can replace with regex:

    $phpTagPattern = "#<\?.*?(echo)\s+(\$\w+);.*?(\?>|$)#s";  //just searching specifically
                          //for <?php echo $varname; ?>  to replace with $varname;
$replacePattern = "$2"; // this may need some cleaning/debugging here. It's late...
$newContent = preg_replace($phpTagPattern,$replacePattern,$content);

    Then you're still going to have to parse_str to get the variable contents anyway...somewhat safer than executing code perhaps.

    echo parse_str($newContent); //should get you to actual contents of $email variable

    This all might be more easily achieved with the tokenizer extension: http://www.php.net/manual/en/tokenizer.examples.php You'd be searching for T_OPEN_TAG and T_CLOSE_TAG.

    For a high-level Better Way To Do This(TM) kind of explanation, it would make more sense to simply store your actual data in the database, and put the content into a templating engine like smarty. Then you create the shell of the form and just pass variables to it where needed. Keep data separate from logic, and output/formatting markup separate still.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 用HslCommunication 连接欧姆龙 plc有时会连接失败。报异常为“未知错误”
  • ¥15 网络设备配置与管理这个该怎么弄
  • ¥20 机器学习能否像多层线性模型一样处理嵌套数据
  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?