Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Executing scripts from a table

0 views
Skip to first unread message

Ken Kixmoeller -- reply to ken@kixmoeller.com

unread,
Feb 2, 2007, 12:32:25 PM2/2/07
to php-g...@lists.php.net
Hi, folks -- - -

For security and efficiency, I am trying to store PHP scripts in
MySQL tables. Only problem: I can't get them to execute.

In a template:
----------------------------------------
$php_code = $this->ApplicationObject->GetStoredCode($whichpage);

echo $php_code; // doesn't execute

print_r($php_code); // doesn't execute, either
----------------------------------------

I've looked for some kind of exec_script() function without luck.

I can't be the first one to have done this. Any ideas or resources
you can point me to?

Thank you -- - -

Ken

Ken Kixmoeller -- reply to ken@kixmoeller.com

unread,
Feb 2, 2007, 12:45:20 PM2/2/07
to php-g...@lists.php.net, Thomas Pedoussaut
Yeah, that was it. Thanks, Thomas.

(dang it, I should have been able to figure out that myself!)

Ken


On Feb 2, 2007, at 11:32 AM, Thomas Pedoussaut wrote:

> Ken Kixmoeller -- reply to k...@kixmoeller.com wrote:
>> Hi, folks -- - -
>>
>> For security and efficiency, I am trying to store PHP scripts in
>> MySQL tables. Only problem: I can't get them to execute.
>>
>> In a template:
>> ----------------------------------------
>> $php_code = $this->ApplicationObject->GetStoredCode($whichpage);
>>
>> echo $php_code; // doesn't execute
>>
>> print_r($php_code); // doesn't execute, either
>> ----------------------------------------
>

> I think you're thinking of eval()
> http://ie2.php.net/manual/en/function.eval.php
>
> It should do what you want.
>
> --
> Thomas
>
>

Richard Lynch

unread,
Feb 2, 2007, 7:59:16 PM2/2/07
to Ken Kixmoeller -- reply to ken@kixmoeller.com, php-g...@lists.php.net
On Fri, February 2, 2007 11:32 am, Ken Kixmoeller -- reply to

k...@kixmoeller.com wrote:
> For security and efficiency, I am trying to store PHP scripts in
> MySQL tables. Only problem: I can't get them to execute.

Errrr.

Putting PHP source into MySQL is the WRONG way to go for security and
efficiency...

So, right there, you're in the wrong tree.

But the function you THINK you want is 'eval'
http://php.net/eval

Rule Of Thumb:
If 'eval' is the answer, you are almost certainly asking the wrong
question.
:-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

Ken Kixmoeller -- reply to ken@kixmoeller.com

unread,
Feb 3, 2007, 10:32:06 AM2/3/07
to php-g...@lists.php.net

On Feb 2, 2007, at 6:59 PM, Richard Lynch wrote:

> Putting PHP source into MySQL is the WRONG way to go for security and
> efficiency...

Thank you, Richard -- I appreciate your advice.

Here is a qualifier: I'm not putting any core code into tables, just
code which generates page content. The access rights to that page
content, as well as security code and application objects are not
there. That code is off of the web path, called by functions. No SQL
is in tables. So maybe I shouldn't have said "security."

With that in mind -- I would really appreciate it if would help me
understand your comment or point me to a resource which will. I have
read a bunch of stuff on security, but no resources led me to believe
that I was on a wrong path, though none of them followed the path I
am on. It isn't too late for me to change.

Ken

Ken Kixmoeller -- reply to ken@kixmoeller.com

unread,
Feb 3, 2007, 11:52:38 AM2/3/07
to php-g...@lists.php.net

On Feb 3, 2007, at 9:32 AM, Ken Kixmoeller -- reply to
k...@kixmoeller.com wrote:

> I'm not putting any core code into tables, just code which
> generates page content. The access rights to that page content, as
> well as security code and application objects are not there. That
> code is off of the web path, called by functions. No SQL is in
> tables. So maybe I shouldn't have said "security."

I should add: All of the PHP in the tables is making calls to UI
objects and data objects (which contain the SQL). Those classes are
also off of the web tree. My goal has been to locate any and all page-
related content (HTML and PHP) in a single location.

I am *not* trying to justify my strategy here. I just want to provide
enough information to anybody willing to help me understand if it is
ill-conceived.

Thank you,

Ken

Richard Lynch

unread,
Feb 5, 2007, 12:53:02 AM2/5/07
to Ken Kixmoeller -- reply to ken@kixmoeller.com, php-g...@lists.php.net
On Sat, February 3, 2007 9:32 am, Ken Kixmoeller -- reply to

The problem is that now instead of needing to protect your PHP files
from arbitrary code execution attacks, you need to protect your PHP
files *and* your database content, so you've just doubled the number
of potential holes, roughly speaking.

It doesn't matter if YOU put "core code" into your DB or not -- If
somebody manages to break into your DB, they can put whatever code
they want, and you're just going to execute it blindly.

In terms of performance, running a query to get some PHP snippet and
then using eval on it is probably not going to hold up under any kind
of load... Or maybe it will -- Seems like eval should be expensive,
but perhaps I'm just remembering what it cost in Lisp...

0 new messages