PHP: How can variables stored in a blob field, and then have them populated later?

abefroman · 11-22-2009, 04:14 PM

I am making a script based on php and mysql.

How can variables stored in a blob field, and then have them populated in the script later?

I have:

Code:

<?php

//database stuff
$msg=$query_data[0];

$firstname="Abe";
$lastname="Froman";

echo $msg;

?>

But that is outputing

Code:

Hello $firstname $lastname

Instead of:

Code:

Hello Abe Froman

The blob field that is returned in $query_data[0]; is:

Code:

Hello $firstname $lastname

Why isn't this populating the variables in the message string, with the variables declared in the script?

TIA

maslik · 11-22-2009, 04:32 PM

How are you actually inserting the data to your database?

It looks like you have misplaced apostrophe with quote mark. If you write

Code:

echo 'Hello $firstname $lastname';

It will return Hello $firstname $lastname, but if you write

Code:

echo "Hello $firstname $lastname"

it will return Hello Abe Froman.

So check your script at the place of inserting data to your database.
Hope, that this will help.

abefroman · 11-22-2009, 04:41 PM

Quote:

Originally Posted by maslik

How are you actually inserting the data to your database?

It looks like you have misplaced apostrophe with quote mark. If you write

Code:

echo 'Hello $firstname $lastname';

It will return Hello $firstname $lastname, but if you write

Code:

echo "Hello $firstname $lastname"

it will return Hello Abe Froman.

So check your script at the place of inserting data to your database.
Hope, that this will help.

So
echo "$msg";
instead of
echo $msg;
?

maslik · 11-22-2009, 04:47 PM

Quote:

Originally Posted by abefroman

So
echo "$msg";
instead of
echo $msg;
?

No, I don't mean that. That would be the same. In my opinion you must have Hello $firstname $lastname in your database. I think, that you don't insert the values to your database, but the variables name. Please check the code, where you insert the data to your database.

The part of code you have posted is alright the way I understand it.

abefroman · 11-22-2009, 04:54 PM

Quote:

Originally Posted by maslik

No, I don't mean that. That would be the same. In my opinion you must have Hello $firstname $lastname in your database. I think, that you don't insert the values to your database, but the variables name. Please check the code, where you insert the data to your database.

The part of code you have posted is alright the way I understand it.

here is the full code for my database insert:

Code:

<?php

include('connect.php');

$query="INSERT INTO messages (mname,mbody,msubject) VALUES ('$mname','$mbody','$msubject')";
$result=mysql_query($query);
echo "Insert Successful!";
echo mysql_error();

?>

It gets the values from mname mbody and msubject from the post results from a form.

mbody is a textarea, and in the textarea it put
Hello $firstname $lastname

Should I be putting quotes around what I enter in the textarea?

abefroman · 11-22-2009, 10:57 PM

Fixed, I had to use eval on the variable.

Guttorm · 11-23-2009, 07:14 AM

Hi

Just a warning. When you use eval like that, remember to be very careful checking the input. What is going to stop people from posting all kinds of PHP code in the textarea? Since stuff like exec is possible, you are basically giving a shell to everyone.

Generally speaking, most of the time when eval is used, you should think twice about the design. Can you do it without using eval? If you have to use it, you need to carefully filter the input.

abefroman · 11-23-2009, 09:51 AM

Quote:

Originally Posted by Guttorm

Hi

Just a warning. When you use eval like that, remember to be very careful checking the input. What is going to stop people from posting all kinds of PHP code in the textarea? Since stuff like exec is possible, you are basically giving a shell to everyone.

Generally speaking, most of the time when eval is used, you should think twice about the design. Can you do it without using eval? If you have to use it, you need to carefully filter the input.

What is an alternative method to eval, when trying to populate variables in the results of a query?

Guttorm · 11-23-2009, 10:14 AM

Hmm. I don't really know what you are trying to do. But you have a web page where people are supposed to enter PHP code? If so, I guess you have a list of variables they can use? Then simply changing the strings will be a lot safer.

$msg = str_replace('$firstname',$firstname,$msg);
$msg = str_replace('$lastname',$lastname,$msg);

My point is, whenever you use eval, you have to be careful about what you send to it. Typical use of eval:

eval("\$str = \"$str\";");

If $str comes from user input (a textarea?), you could for example enter this for input:

".file_get_contents("/etc/passwd")."

abefroman · 11-23-2009, 10:16 AM

Thanks! I thought of the str_replace too.

I'll probalby switch to that!