I am storing in a mySQL table the HTML/PHP content of individual slides to be displayed on a single page.
我正在一个mySQL表中存储将显示在单个页面上的各个幻灯片的HTML/PHP内容。
Here is an example of HTML/PHP code stored in the mySQL table:
下面是存储在mySQL表中的HTML/PHP代码示例:
<p>Welcome <?php echo $userData['fname']; ?>!</p>
<p>You made it to the first slide!</p>
I retrieve the content of the slides in PHP with the following code:
我用以下代码检索PHP中的幻灯片内容:
<?php
$fetchedPageSlideData = mysql_query("SELECT * FROM pageSlides WHERE pageID = $pageID ORDER BY 'order' DESC") or die(mysql_error());
while ($pageSlideData = mysql_fetch_array($fetchedPageSlideData)) {
$pageSlideContent = $pageSlideData['content']; ?>
<div><?php echo $pageSlideContent; ?></div>
<?php }
?>
All of the HTML of the content displays correctly, but the PHP is inserted as follows:
所有内容的HTML都显示正确,但插入PHP如下:
<!--?php echo $userData['fname']; ?-->
So the PHP is commented out and doesn't display.
PHP被注释掉了,没有显示。
How can I retrieve the HTML/PHP code and have the PHP not commented out?
如何检索HTML/PHP代码,并且不注释PHP ?
3 个解决方案
#1
2
It might be a better idea to use placeholder strings in the DB data. Executing arbitrary php code from a DB can be dangerous. PHP is Evil
在DB数据中使用占位符字符串可能是个更好的主意。从数据库中执行任意的php代码可能是危险的。PHP是邪恶的
#2
1
Look into PHP function eval(): http://php.net/manual/en/function.eval.php
查看PHP函数eval(): http://php.net/manual/en/function.eval.php
#3
0
Dropping in and out of the PHP interpreter makes your code rather difficult to read. Consider:
插入和退出PHP解释器会使您的代码难于阅读。考虑:
<?php
$f = mysql_query(
"SELECT *
FROM pageSlides
WHERE pageID = $pageID
ORDER BY 'order' DESC"
) or die(mysql_error());
while ($d = mysql_fetch_array($f)) {
print "<div>" . $d['content'] . "</div>\n";
}
Regardless there is no implicit nor explicit mechanism here which would inject the comment tags you've presented. However it may be the browser trying to make sense of the unescaped html code and <?php ... ?> tags.
无论如何,这里没有隐式或显式机制来注入您所呈现的注释标记。但是,可能是浏览器试图理解未转义的html代码和 标记。
Try:
试一试:
print "<div>" . htmlentities($d['content']) . "</div>\n";
As a side note, you might consider using
作为补充说明,您可以考虑使用
print "<div>" . highlight_string($d['content']) . "</div>\n";
Or do you mean that you actually want to run the code stored in the database - if so, you're asking for a world of pain. Eval is not evil - but you really must know what you're doing to avoid getting bitten by it.
或者你的意思是你真的想运行存储在数据库中的代码——如果是的话,你是在要求一个痛苦的世界。Eval不是邪恶的——但你必须知道自己在做什么,以免被它咬伤。
#1
2
It might be a better idea to use placeholder strings in the DB data. Executing arbitrary php code from a DB can be dangerous. PHP is Evil
在DB数据中使用占位符字符串可能是个更好的主意。从数据库中执行任意的php代码可能是危险的。PHP是邪恶的
#2
1
Look into PHP function eval(): http://php.net/manual/en/function.eval.php
查看PHP函数eval(): http://php.net/manual/en/function.eval.php
#3
0
Dropping in and out of the PHP interpreter makes your code rather difficult to read. Consider:
插入和退出PHP解释器会使您的代码难于阅读。考虑:
<?php
$f = mysql_query(
"SELECT *
FROM pageSlides
WHERE pageID = $pageID
ORDER BY 'order' DESC"
) or die(mysql_error());
while ($d = mysql_fetch_array($f)) {
print "<div>" . $d['content'] . "</div>\n";
}
Regardless there is no implicit nor explicit mechanism here which would inject the comment tags you've presented. However it may be the browser trying to make sense of the unescaped html code and <?php ... ?> tags.
无论如何,这里没有隐式或显式机制来注入您所呈现的注释标记。但是,可能是浏览器试图理解未转义的html代码和 标记。
Try:
试一试:
print "<div>" . htmlentities($d['content']) . "</div>\n";
As a side note, you might consider using
作为补充说明,您可以考虑使用
print "<div>" . highlight_string($d['content']) . "</div>\n";
Or do you mean that you actually want to run the code stored in the database - if so, you're asking for a world of pain. Eval is not evil - but you really must know what you're doing to avoid getting bitten by it.
或者你的意思是你真的想运行存储在数据库中的代码——如果是的话,你是在要求一个痛苦的世界。Eval不是邪恶的——但你必须知道自己在做什么,以免被它咬伤。