Newgrounds.com — Everything, By Everyone.

hi all,

Im quite new to php and mysql but i am making a CMS for my self just to try out new skills and stuff.

And everything is great apart from if i go into my admin area and enter PHP with the <?php ?> tags around in like say the content box (instead of just plan text)

when you go to the public site it does not run the php or even just echo the php on the screen as text but if you go to view page source (on Firefox for me) i can see the php but its in a pink text like is been converted into a comment or something.

does anyone know what could be causing this? i followed a tutorial on how to make my CMS and the only thing i can think that might do it is magic quotes?

Does anyone agree or no how to fix it to let my data pulled from the Mysql data base be viewed as php?

its as if when data is pulled from the databases it does not know what to do with it and just turns it into a comment or something.

here is the code in a function:

function blog_content() {

$output = "<ul>";
$subject_set = get_all_blog_public();
/*while loops to get subject */
while ($subject = mysql_fetch_array($subject_set)) {
/*echo the subject */
$output .= "-<a href=\"blog.php?num=" ;
$output .= urlencode($subject["id"]) ."\">";
$output .= ucfirst($subject["menu_name"]);

$output .= "</a><br/><br>";
}
$output .= "</ul>";

return $output;
}

and here its the bit that pulls the what ever is in the database and shows it on the public page:

echo nl2br($sel_subject['content']);

and i want it to echo this:

echo blog_content();

but does not work all i get its

<?php echo blog_content(); ?> in pink on the html side..

anyone help?

Thanks Eli

I don't really understand it... is this all in the same file?

At 11/5/09 01:24 PM, Super-Yombario wrote: I don't really understand it... is this all in the same file?

no its lots of files.

but the problem is basically that <?php ?> tag does not work when being pulled from a data base from what im seeing and i dont know why.

wait... you put php tags in a database field? No wonder!!

I'm assuming your database field is a varchar or a longtext or something, which is a string. Strings cannot be processed! If you want to do that, then just write:

'.whatever_function().'

...so the PHP will perform that function and return the value it outputs to the echo command.

Don't run PHP from a database -.-

Its horrible unsafe and very prone to hacking..

If you really wanted to you would use eval(), but don't.

yes that's what im trying to do but its not working still fields are text i have tried putting:

'.echo blog().'
'.blog().'
blog();
echo blog();
<?php '.echo blog().' ?>

but nothing has worked... i guess im doig something wrong still.

At 11/5/09 04:29 PM, Relish wrote: Don't run PHP from a database -.-

Its horrible unsafe and very prone to hacking..

If you really wanted to you would use eval(), but don't.

im quite confused because im sure the CMS frog uses php in database..

are you at any time using mysql_escape_string? That would cause it to fail.

If it's online, link it to me, I'll see if I can find the fault in the site.

At 11/5/09 04:54 PM, Super-Yombario wrote: are you at any time using mysql_escape_string? That would cause it to fail.

If it's online, link it to me, I'll see if I can find the fault in the site.

this one:

function mysql_prep( $value ) {
		$magic_quotes_active = get_magic_quotes_gpc();
		$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
		if( $new_enough_php ) { // PHP v4.3.0 or higher
			// undo any magic quote effects so mysql_real_escape_string can do the work
			if( $magic_quotes_active ) { $value = stripslashes( $value ); }
 			$value = mysql_real_escape_string( $value );
		} else { // before PHP v4.3.0
			// if magic quotes aren't already on then add slashes manually
			if( !$magic_quotes_active ) { $value = addslashes( $value ); }
			// if magic quotes are active, then the slashes already exist
		}
		return $value;
	}

if so then yes.
Im not really sure wat this code does thou cuz like i said at the start i just followed tutorial.

* Facepalm *

CMS's arent meant to store PHP, mainly user interface content.

http://css-tricks.com/php-for-beginners-
building-your-first-simple-cms/

To state the issue very clearly:
Outputting a string to the client will not execute it as php code. Yet, that is what you tried to do. Save php code as a file and include that file instead. Using eval also works, but should not be done, due to performance issues.