If I have php in database can I use that?

Question

If I have php within my database can I use that. Specifically I have<?php echo $email; ?> with a column called content. On a protected page called user I call on the content column and spit out a page. Similar to a blog would within a while mysqli. When I look into my database though I see the function is actually the full <?php echo $email; ?> rather than the actual variable that was posted with a form.

Edit:

Also I'm looking within firebug to see what shows up for value within the form and it is indeed the full echo statement. The echo statement is pulled from the database as part of a stored form. Is this not good practice? If so how can this be done? Am I missing something??

Further info is that I am using mysqli escape string to input the data..

I've got a script that echos out the content for the page. In this case the content from the database is a form which includes a hidden field for email. This way I can tell whos posting to the database so that we can establish a connection.

Within the original page are active variables that are included on this particular page. I'm including in the form from the database a field like so:

<input type="hidden" id="email" value="<?php echo $email; ?>" />

Normally the echo would work, but I'm not sure why its not. That is why I ask if the fact that that input field is coming from the database has any bearing on it not echoing based on the variables already located within the page?

Further example for explanation:

<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM course ORDER BY id DESC";
$sql_page = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_page)){

 $email = $row["email"]; 
}
?>

Thats the email on the actual user.php page.....

Now the user.php also has an area for content..

<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM content ORDER BY id DESC LIMIT 1";
$sql_page = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_page)){

 $content = $row["content"]; 
}
?>

We'll say that the content looks like this...

    <form>
     <input type="hidden" id="email" value="<?php echo $email; ?>" />
//    
</form>

This also outputs on user.php notice that user.php does have $email....how are you saying to approach this? How else can I echo this?

Answer 1

Based on the comments I'd say a quick answer is to check the linked article in my first comment. Yes the problem is your Form Output code is likely expecting data in a variable and not code. You need to eval() the variable in order to actually execute the code contained within. However this is not best practice.

A better solution would be to just store the contents of $email in the DB and just send that to your form

It's the difference between:

$x = '<php? echo $hello ?>';

$outstr= "<input type='hidden' value=' $x ' >";
//no this wont work unless you use eval($x)

EDIT:

Based on your explanation above with content, you may just need a way to ignore everything between the tags in content and replace it with the actual content? I'm assuming you can't change the db design...

Two quick& dirty & perhaps unsafe thing you can try is:

include("data:,$content");
//or
eval('?>'.$content.'<?');

Or you can replace with regex:

$phpTagPattern = "#<\?.*?(echo)\s+(\$\w+);.*?(\?>|$)#s";  //just searching specifically
                          //for <?php echo $varname; ?>  to replace with $varname;
$replacePattern = "$2"; // this may need some cleaning/debugging here. It's late...
$newContent = preg_replace($phpTagPattern,$replacePattern,$content);

Then you're still going to have to parse_str to get the variable contents anyway...somewhat safer than executing code perhaps.

echo parse_str($newContent); //should get you to actual contents of $email variable

This all might be more easily achieved with the tokenizer extension: http://www.php.net/manual/en/tokenizer.examples.php You'd be searching for T_OPEN_TAG and T_CLOSE_TAG.

For a high-level Better Way To Do This(TM) kind of explanation, it would make more sense to simply store your actual data in the database, and put the content into a templating engine like smarty. Then you create the shell of the form and just pass variables to it where needed. Keep data separate from logic, and output/formatting markup separate still.