A safer alternative to eval() would be to store in the database the object name, the method and the arguments, so you can use call_user_func().
I highly recommend you to whitelists the allowed calls (that is, make a list of possible objects and methods that can be called). I had a similar need once, but I stored code in XML. If you allow users to input code that will be run, you're allowing them to "mysql_query('DROP DATABASE BLABLA');" to say the least. Take care! dfcp On Friday, August 10, 2012 5:20:36 AM UTC-3, Sanjeev Divekar wrote: > > Hello, > > I am developing CMS which need to execute some php code e.g. <?php echo > $this->element('helpbox'); ?> which is stored in database. > > I tried > file_put_contents ('tempfile.tmp',$this->fetch('content')); > include('tempfile.tmp'); > in layout which works > > but any better Idea? > > Regards, > > > -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en-US.