Re: PHP Code in Database

2012-08-11 Thread djogo 
A safer alternative to eval() would be to store in the database the object 
name, the method and the arguments, so you can use call_user_func().

I highly recommend you to whitelists the allowed calls (that is, make a 
list of possible objects and methods that can be called).

I had a similar need once, but I stored code in XML. If you allow users to 
input code that will be run, you're allowing them to "mysql_query('DROP 
DATABASE BLABLA');" to say the least. 

Take care!

dfcp 

On Friday, August 10, 2012 5:20:36 AM UTC-3, Sanjeev Divekar wrote:
>
> Hello,
>
> I am developing CMS which need to execute some php code e.g.  $this->element('helpbox'); ?> which is stored in database.
>
> I tried 
> file_put_contents ('tempfile.tmp',$this->fetch('content'));
> include('tempfile.tmp');
> in layout which works
>
> but any better Idea?
>
> Regards,
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-11 Thread WyriHaximus 
Us mark says eval can be very dangerous and should be avoided at all costs 
especially in combination with userinput. For my database based page that 
require more then just html/css/js I use Twig  to 
add dynamic possibilities without exposing more then required. (I also use 
it for view files tbh.)

On Friday, August 10, 2012 7:03:48 PM UTC+2, euromark wrote:
>
> careful who has access to it, though
> using eval can be pretty dangerous - since it can execute any php code.
> so "normal users" should probably not have edit access.
>
> PS: in my case it was 
> $res = eval("?>" . $str . " to make it work in all cases
>
> the reason you need this is that you have HTML in it and php is only 
> embedded there as 
>
>
>
> Am Freitag, 10. August 2012 18:24:23 UTC+2 schrieb sanjeev:
>>
>> Thanks Tilen,
>>
>> This following code works
>> $content = $this->fetch('content');
>> echo eval('?>'.$content);
>>
>> can you explain why i need to prefix ?> berfore $content?
>>
>> On Fri, Aug 10, 2012 at 3:43 PM, Tilen Majerle wrote:
>>
>>> ok, i understand...
>>> allow user to write some idk, php code, save it in database and than use 
>>> php's eval.
>>>
>>> http://si2.php.net/manual/en/function.eval.php 
>>>
>>> eval will execute code :)
>>> --
>>> Lep pozdrav, Tilen Majerle
>>> http://majerle.eu
>>>
>>>
>>>
>>> 2012/8/10 Sanjeev Divekar 
>>>
 No it's not cache. I want to execute user defined PHP code in my view.


 On Fri, Aug 10, 2012 at 2:31 PM, Tilen Majerle wrote:

> it sound's like you cache some view. Why you don't just use Cache by 
> cakephp ?
> http://book.cakephp.org/2.0/en/core-libraries/caching.html 
> --
> Lep pozdrav, Tilen Majerle
> http://majerle.eu
>
>
>
> 2012/8/10 sanjeev 
>
>> Hello,
>>
>> I am developing CMS which need to execute some php code e.g. > echo $this->element('helpbox'); ?> which is stored in database.
>>
>> I tried 
>> file_put_contents ('tempfile.tmp',$this->fetch('content'));
>> include('tempfile.tmp');
>> in layout which works
>>
>> but any better Idea?
>>
>> Regards,
>>
>>
>>  -- 
>> You received this message because you are subscribed to the Google 
>> Groups "CakePHP" group.
>> To post to this group, send email to cake...@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> cake-php+u...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>  
>>  
>>
>
>  -- 
> You received this message because you are subscribed to the Google 
> Groups "CakePHP" group.
> To post to this group, send email to cake...@googlegroups.com.
> To unsubscribe from this group, send email to 
> cake-php+u...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>  
>  
>



 -- 
 Warm Regards,
 Sanjeev
 http://sanjeevdivekar.wordpress.com

  -- 
 You received this message because you are subscribed to the Google 
 Groups "CakePHP" group.
 To post to this group, send email to cake...@googlegroups.com.
 To unsubscribe from this group, send email to 
 cake-php+u...@googlegroups.com.
 Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
  
  

>>>
>>>  -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CakePHP" group.
>>> To post to this group, send email to cake...@googlegroups.com.
>>> To unsubscribe from this group, send email to 
>>> cake-php+u...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>>  
>>>  
>>>
>>
>>
>>
>> -- 
>> Warm Regards,
>> Sanjeev
>> http://sanjeevdivekar.wordpress.com
>>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-10 Thread Sanjeev Divekar 
Thanks  euromark

On Fri, Aug 10, 2012 at 10:33 PM, euromark  wrote:

> careful who has access to it, though
> using eval can be pretty dangerous - since it can execute any php code.
> so "normal users" should probably not have edit access.
>
> PS: in my case it was
> $res = eval("?>" . $str . " to make it work in all cases
>
> the reason you need this is that you have HTML in it and php is only
> embedded there as 
>
>
>
> Am Freitag, 10. August 2012 18:24:23 UTC+2 schrieb sanjeev:
>>
>> Thanks Tilen,
>>
>> This following code works
>> $content = $this->fetch('content');
>> echo eval('?>'.$content);
>>
>> can you explain why i need to prefix ?> berfore $content?
>>
>> On Fri, Aug 10, 2012 at 3:43 PM, Tilen Majerle wrote:
>>
>>> ok, i understand...
>>> allow user to write some idk, php code, save it in database and than use
>>> php's eval.
>>>
>>> http://si2.php.net/manual/en/**function.eval.php
>>>
>>>
>>> eval will execute code :)
>>> --
>>> Lep pozdrav, Tilen Majerle
>>> http://majerle.eu
>>>
>>>
>>>
>>> 2012/8/10 Sanjeev Divekar 
>>>
 No it's not cache. I want to execute user defined PHP code in my view.


 On Fri, Aug 10, 2012 at 2:31 PM, Tilen Majerle wrote:

> it sound's like you cache some view. Why you don't just use Cache by
> cakephp ?
> http://book.cakephp.org/2.0/**en/core-libraries/caching.html
> **
> --
> Lep pozdrav, Tilen Majerle
> http://majerle.eu
>
>
>
> 2012/8/10 sanjeev 
>
>> Hello,
>>
>> I am developing CMS which need to execute some php code e.g. > echo $this->element('helpbox'); ?> which is stored in database.
>>
>> I tried
>> file_put_contents ('tempfile.tmp',$this->fetch('**content'));
>> include('tempfile.tmp');
>> in layout which works
>>
>> but any better Idea?
>>
>> Regards,
>>
>>
>>  --
>> You received this message because you are subscribed to the Google
>> Groups "CakePHP" group.
>> To post to this group, send email to cake...@googlegroups.com.
>> To unsubscribe from this group, send email to cake-php+u...@**
>> googlegroups.com.
>>
>> Visit this group at http://groups.google.com/**
>> group/cake-php?hl=en-US
>> .
>>
>>
>>
>
>  --
> You received this message because you are subscribed to the Google
> Groups "CakePHP" group.
> To post to this group, send email to cake...@googlegroups.com.
> To unsubscribe from this group, send email to cake-php+u...@**
> googlegroups.com.
>
> Visit this group at 
> http://groups.google.com/**group/cake-php?hl=en-US
> .
>
>
>



 --
 Warm Regards,
 Sanjeev
 http://sanjeevdivekar.**wordpress.com

  --
 You received this message because you are subscribed to the Google
 Groups "CakePHP" group.
 To post to this group, send email to cake...@googlegroups.com.
 To unsubscribe from this group, send email to cake-php+u...@**
 googlegroups.com.

 Visit this group at 
 http://groups.google.com/**group/cake-php?hl=en-US
 .



>>>
>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "CakePHP" group.
>>> To post to this group, send email to cake...@googlegroups.com.
>>> To unsubscribe from this group, send email to cake-php+u...@**
>>> googlegroups.com.
>>>
>>> Visit this group at 
>>> http://groups.google.com/**group/cake-php?hl=en-US
>>> .
>>>
>>>
>>>
>>
>>
>>
>> --
>> Warm Regards,
>> Sanjeev
>> http://sanjeevdivekar.**wordpress.com
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com.
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>
>
>



-- 
Warm Regards,
Sanjeev
http://sanjeevdivekar.wordpress.com

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-10 Thread euromark 
careful who has access to it, though
using eval can be pretty dangerous - since it can execute any php code.
so "normal users" should probably not have edit access.

PS: in my case it was 
$res = eval("?>" . $str . "



Am Freitag, 10. August 2012 18:24:23 UTC+2 schrieb sanjeev:
>
> Thanks Tilen,
>
> This following code works
> $content = $this->fetch('content');
> echo eval('?>'.$content);
>
> can you explain why i need to prefix ?> berfore $content?
>
> On Fri, Aug 10, 2012 at 3:43 PM, Tilen Majerle 
> 
> > wrote:
>
>> ok, i understand...
>> allow user to write some idk, php code, save it in database and than use 
>> php's eval.
>>
>> http://si2.php.net/manual/en/function.eval.php 
>>
>> eval will execute code :)
>> --
>> Lep pozdrav, Tilen Majerle
>> http://majerle.eu
>>
>>
>>
>> 2012/8/10 Sanjeev Divekar >
>>
>>> No it's not cache. I want to execute user defined PHP code in my view.
>>>
>>>
>>> On Fri, Aug 10, 2012 at 2:31 PM, Tilen Majerle 
>>> 
>>> > wrote:
>>>
 it sound's like you cache some view. Why you don't just use Cache by 
 cakephp ?
 http://book.cakephp.org/2.0/en/core-libraries/caching.html 
 --
 Lep pozdrav, Tilen Majerle
 http://majerle.eu



 2012/8/10 sanjeev >

> Hello,
>
> I am developing CMS which need to execute some php code e.g.  echo $this->element('helpbox'); ?> which is stored in database.
>
> I tried 
> file_put_contents ('tempfile.tmp',$this->fetch('content'));
> include('tempfile.tmp');
> in layout which works
>
> but any better Idea?
>
> Regards,
>
>
>  -- 
> You received this message because you are subscribed to the Google 
> Groups "CakePHP" group.
> To post to this group, send email to cake...@googlegroups.com
> .
> To unsubscribe from this group, send email to 
> cake-php+u...@googlegroups.com .
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>  
>  
>

  -- 
 You received this message because you are subscribed to the Google 
 Groups "CakePHP" group.
 To post to this group, send email to cake...@googlegroups.com
 .
 To unsubscribe from this group, send email to 
 cake-php+u...@googlegroups.com .
 Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
  
  

>>>
>>>
>>>
>>> -- 
>>> Warm Regards,
>>> Sanjeev
>>> http://sanjeevdivekar.wordpress.com
>>>
>>>  -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CakePHP" group.
>>> To post to this group, send email to cake...@googlegroups.com
>>> .
>>> To unsubscribe from this group, send email to 
>>> cake-php+u...@googlegroups.com .
>>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>>  
>>>  
>>>
>>
>>  -- 
>> You received this message because you are subscribed to the Google Groups 
>> "CakePHP" group.
>> To post to this group, send email to cake...@googlegroups.com
>> .
>> To unsubscribe from this group, send email to 
>> cake-php+u...@googlegroups.com .
>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>  
>>  
>>
>
>
>
> -- 
> Warm Regards,
> Sanjeev
> http://sanjeevdivekar.wordpress.com
>  

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-10 Thread Sanjeev Divekar 
Thanks Tilen,

This following code works
$content = $this->fetch('content');
echo eval('?>'.$content);

can you explain why i need to prefix ?> berfore $content?

On Fri, Aug 10, 2012 at 3:43 PM, Tilen Majerle wrote:

> ok, i understand...
> allow user to write some idk, php code, save it in database and than use
> php's eval.
>
> http://si2.php.net/manual/en/function.eval.php
>
> eval will execute code :)
> --
> Lep pozdrav, Tilen Majerle
> http://majerle.eu
>
>
>
> 2012/8/10 Sanjeev Divekar 
>
>> No it's not cache. I want to execute user defined PHP code in my view.
>>
>>
>> On Fri, Aug 10, 2012 at 2:31 PM, Tilen Majerle 
>> wrote:
>>
>>> it sound's like you cache some view. Why you don't just use Cache by
>>> cakephp ?
>>> http://book.cakephp.org/2.0/en/core-libraries/caching.html
>>> --
>>> Lep pozdrav, Tilen Majerle
>>> http://majerle.eu
>>>
>>>
>>>
>>> 2012/8/10 sanjeev 
>>>
 Hello,

 I am developing CMS which need to execute some php code e.g. >>> echo $this->element('helpbox'); ?> which is stored in database.

 I tried
 file_put_contents ('tempfile.tmp',$this->fetch('content'));
 include('tempfile.tmp');
 in layout which works

 but any better Idea?

 Regards,


  --
 You received this message because you are subscribed to the Google
 Groups "CakePHP" group.
 To post to this group, send email to cake-php@googlegroups.com.
 To unsubscribe from this group, send email to
 cake-php+unsubscr...@googlegroups.com.
 Visit this group at http://groups.google.com/group/cake-php?hl=en-US.



>>>
>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "CakePHP" group.
>>> To post to this group, send email to cake-php@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> cake-php+unsubscr...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>>
>>>
>>>
>>
>>
>>
>> --
>> Warm Regards,
>> Sanjeev
>> http://sanjeevdivekar.wordpress.com
>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "CakePHP" group.
>> To post to this group, send email to cake-php@googlegroups.com.
>> To unsubscribe from this group, send email to
>> cake-php+unsubscr...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>
>>
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com.
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>
>
>



-- 
Warm Regards,
Sanjeev
http://sanjeevdivekar.wordpress.com

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-10 Thread Tilen Majerle 
ok, i understand...
allow user to write some idk, php code, save it in database and than use
php's eval.

http://si2.php.net/manual/en/function.eval.php

eval will execute code :)
--
Lep pozdrav, Tilen Majerle
http://majerle.eu



2012/8/10 Sanjeev Divekar 

> No it's not cache. I want to execute user defined PHP code in my view.
>
>
> On Fri, Aug 10, 2012 at 2:31 PM, Tilen Majerle wrote:
>
>> it sound's like you cache some view. Why you don't just use Cache by
>> cakephp ?
>> http://book.cakephp.org/2.0/en/core-libraries/caching.html
>> --
>> Lep pozdrav, Tilen Majerle
>> http://majerle.eu
>>
>>
>>
>> 2012/8/10 sanjeev 
>>
>>> Hello,
>>>
>>> I am developing CMS which need to execute some php code e.g. >> $this->element('helpbox'); ?> which is stored in database.
>>>
>>> I tried
>>> file_put_contents ('tempfile.tmp',$this->fetch('content'));
>>> include('tempfile.tmp');
>>> in layout which works
>>>
>>> but any better Idea?
>>>
>>> Regards,
>>>
>>>
>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "CakePHP" group.
>>> To post to this group, send email to cake-php@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> cake-php+unsubscr...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>>
>>>
>>>
>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "CakePHP" group.
>> To post to this group, send email to cake-php@googlegroups.com.
>> To unsubscribe from this group, send email to
>> cake-php+unsubscr...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>
>>
>>
>
>
>
> --
> Warm Regards,
> Sanjeev
> http://sanjeevdivekar.wordpress.com
>
>  --
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com.
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-10 Thread Sanjeev Divekar 
No it's not cache. I want to execute user defined PHP code in my view.

On Fri, Aug 10, 2012 at 2:31 PM, Tilen Majerle wrote:

> it sound's like you cache some view. Why you don't just use Cache by
> cakephp ?
> http://book.cakephp.org/2.0/en/core-libraries/caching.html
> --
> Lep pozdrav, Tilen Majerle
> http://majerle.eu
>
>
>
> 2012/8/10 sanjeev 
>
>> Hello,
>>
>> I am developing CMS which need to execute some php code e.g. > $this->element('helpbox'); ?> which is stored in database.
>>
>> I tried
>> file_put_contents ('tempfile.tmp',$this->fetch('content'));
>> include('tempfile.tmp');
>> in layout which works
>>
>> but any better Idea?
>>
>> Regards,
>>
>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "CakePHP" group.
>> To post to this group, send email to cake-php@googlegroups.com.
>> To unsubscribe from this group, send email to
>> cake-php+unsubscr...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>
>>
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com.
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>
>
>



-- 
Warm Regards,
Sanjeev
http://sanjeevdivekar.wordpress.com

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.

Re: PHP Code in Database

2012-08-10 Thread Tilen Majerle 
it sound's like you cache some view. Why you don't just use Cache by
cakephp ?
http://book.cakephp.org/2.0/en/core-libraries/caching.html
--
Lep pozdrav, Tilen Majerle
http://majerle.eu



2012/8/10 sanjeev 

> Hello,
>
> I am developing CMS which need to execute some php code e.g.  $this->element('helpbox'); ?> which is stored in database.
>
> I tried
> file_put_contents ('tempfile.tmp',$this->fetch('content'));
> include('tempfile.tmp');
> in layout which works
>
> but any better Idea?
>
> Regards,
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com.
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.