Greetings, all.
Thanks to those who fielded my sql injection question yesterday. Enormously
helpful.
On to eval().
I've got a PHP 4.3.xx and a MySQL 4.xx (sometimes 3.2xx) database that is the
basis of a CMS. The story field of the content table sometimes holds PHP code
that needs to be executed when it's called. Mostly simple forms, some includes,
and the like.
For the life of me, I cannot figure out how to execute that code without using
an eval() statement, and I'd like to avoid using eval() for security and
overhead reasons.
A sample looks like this:
$query="SELECT * FROM $database.$stories where id='$sid';";
$result=mysql_query($query);
$numberofresults=mysql_num_rows($result);
for ($i=0; $i<$numberofresults; $i++)
{
$row=mysql_fetch_array ($result);
$body=($row['storycontent']);
echo ("<h1>".ucwords($hl)."<img src=\"image456.jpg\">");}
eval($body=$body);
This works, and the scripts execute. But there's always room for improvement.
I've read about using output buffers, but can't understand quite how that
works.
Any suggestions would be appreciated.
-V
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
