Greetings, all.

Thanks to those who fielded my sql injection question yesterday. Enormously 

On to eval().

I've got a PHP 4.3.xx and a MySQL 4.xx (sometimes 3.2xx) database that is the 
basis of a CMS. The story field of the content table sometimes holds PHP code 
that needs to be executed when it's called. Mostly simple forms, some includes, 
and the like.

For the life of me, I cannot figure out how to execute that code without using 
an eval() statement, and I'd like to avoid using eval() for security and 
overhead reasons.

A sample looks like this:
$query="SELECT * FROM $database.$stories where id='$sid';";
for ($i=0; $i<$numberofresults; $i++)
$row=mysql_fetch_array ($result);
echo ("<h1>".ucwords($hl)."<img src=\"image456.jpg\">");}

This works, and the scripts execute. But there's always room for improvement.

I've read about using output buffers, but can't understand quite how that 

Any suggestions would be appreciated.


PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to