Zak Mc Kracken wrote: > Hi all, > > Is there a PHP function that parses a string as it was the content of a > PHP file? > > I have a CMS application and editors write the news items text into a > text area. Since they have some knowledge of PHP, I'd like to allow them > to insert <? ... ?> or <?= ... ?> and have the content blocks parsed and > executed. OK, this could be easily done parsing the string and passing > the block contents to eval(). However I wonder wether there is some > function already doing that (maybe in a more efficient way). > > Thanks a lot in advance.
Hi, This is a very dangerous thing to do, as it will allow execution of arbitrary PHP code. I highly recommend that you not allow this. Instead, some kind of plugin system could be allowed where editors can specify a plugin (something like [plugin name="blah" param1="blah" param2="halb"]) and they upload the PHP code to a file on the server, register that file as the plugin "blah" and go from there. Anything else is begging to get the site hacked and cause yet another vulnerability in a php app. Greg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
