A safer alternative to eval() would be to store in the database the object
name, the method and the arguments, so you can use call_user_func().
I highly recommend you to whitelists the allowed calls (that is, make a
list of possible objects and methods that can be called).
I had a similar need once, but I stored code in XML. If you allow users to
input code that will be run, you're allowing them to "mysql_query('DROP
DATABASE BLABLA');" to say the least.
Take care!
dfcp
On Friday, August 10, 2012 5:20:36 AM UTC-3, Sanjeev Divekar wrote:
>
> Hello,
>
> I am developing CMS which need to execute some php code e.g. <?php echo
> $this->element('helpbox'); ?> which is stored in database.
>
> I tried
> file_put_contents ('tempfile.tmp',$this->fetch('content'));
> include('tempfile.tmp');
> in layout which works
>
> but any better Idea?
>
> Regards,
>
>
>
--
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
