[PHP] parsing variables inside a variable?
Hi, I have a query regarding variable parsing. I have some text in a MySQL database in which I have included some variable names. Eg (but w/o quotes): "thankyou $name for registering on our web site". I query and use mysql_fetch_array to get the data into an associative array. I then build a string and output it like this: echo "blah blah ".$row["thecolumn"]." blah blah"; However, the output is simply: "blah blah thankyou $name for registering on our web site blah blah" - i.e. $name does not get parsed. I have tried wrapping $name with curly brackets in the database but that doesn't help and I have also tried using both addslashes and removeslashes on $row["thecolumn"] and I have also tried this: echo "blah blah $row['thecolumn'] blah blah" - again both with and without curly brackets. Nothing seems to work. Is what I am trying to do possible? Thanks in advance, James Holt -- www.jholt.co.uk : affordable business website solutions www.htpshareware.com : software for the disorganized -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: parsing variables inside a variable?
Thanks Justin I was aware of that method but wanted to avoid it if possible,
however another person explained to me that eval() can be used to force PHP
to evaluate (i.e. parse) the variables, just thought I'd let you know for
your future reference.
James
--
www.jholt.co.uk : affordable business website solutions
www.htpshareware.com : software for the disorganized
"You don't needs eyes to see, you need vision" - Maxi Jazz
"Justin Patrin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Jimbo wrote:
>
> >
> > I query and use mysql_fetch_array to get the data into an associative
array.
> > I then build a string and output it like this:
> > echo "blah blah ".$row["thecolumn"]." blah blah";
> >
>
> What you need to understand is that the string parsing for variables
> only happens when the string is actually in your script. When you
> dynamically create a string (or get it from a DB) it's just a string of
> characters in memory and is *not* parsed.
>
> To do something like this, you would have to use one of a few things.
> The first would be to use some kind of search and replace to replace
> those variables with what you really want.
>
> $text = str_replace('$name', $name, $text);
>
> That's fairly simple and could even be done for multiple variables.
>
> foreach(array('name', 'price') as $varName) {
>//yes, the $$ is correct
>$text = str_replace('$'.$varName, $$varName, $text);
> }
>
> You could also use a regular expression if you *really* wanted to, but
> what's above is easier.
>
> --
> paperCrane
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] parsing variables inside a variable?
Great - thanks v. much Mike. I don't know why there was no mention of
eval() in the section of the manual on Variable Parsing.
James
--
www.jholt.co.uk : affordable business website solutions
www.htpshareware.com : software for the disorganized
"You don't needs eyes to see, you need vision" - Maxi Jazz
"Mike Ford" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On 29 January 2004 14:56, jimbo wrote:
>
> > Hi,
> >
> > I have a query regarding variable parsing.
> >
> > I have some text in a MySQL database in which I have included some
> > variable names. Eg (but w/o quotes): "thankyou $name for registering
> > on our web site".
> >
> > I query and use mysql_fetch_array to get the data into an associative
> > array. I then build a string and output it like this:
> > echo "blah blah ".$row["thecolumn"]." blah blah";
> >
> > However, the output is simply: "blah blah thankyou $name for
> > registering on our web site blah blah" - i.e. $name does not get
> > parsed. I have tried wrapping $name with curly brackets in the
> > database but that doesn't help and I have also tried using both
> > addslashes and removeslashes on $row["thecolumn"] and I have also
> > tried this: echo "blah blah $row['thecolumn'] blah blah" - again both
> > with and without curly brackets.
> >
> > Nothing seems to work. Is what I am trying to do possible?
>
> Yes, but you need to force PHP to re-evaluate the string you retrieve from
> the database -- normally, PHP just uses values retrieved at runtime as-is
> and doesn't do any special interpretation on them.
>
> The function you need to do this is eval() (http://www.php.net/eval), and
> one possible way of using it to achieve your desired result is (off the
top
> of my head, untested):
>
>eval('echo "blah {$row[\'thecolumn\']} blah";');
>
> Cheers!
>
> Mike
>
> -
> Mike Ford, Electronic Information Services Adviser,
> Learning Support Services, Learning & Information Services,
> JG125, James Graham Building, Leeds Metropolitan University,
> Beckett Park, LEEDS, LS6 3QS, United Kingdom
> Email: [EMAIL PROTECTED]
> Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] parsing variables inside a variable?
Yes when I checked out the manual page for eval() it did occur to me that it
did open up significant potential for abuse. As it happens I am passing
user supplied values into these variables, but I validate all my input
anyway to prevent people from modifying my queries etc.. I have observed
that PHP doesn't seem to be very naturally defensive but I guess no Server
Side scripting language is, except maybe JSP.
Cheers,
James
--
www.jholt.co.uk : affordable business website solutions
www.htpshareware.com : software for the disorganized
"You don't needs eyes to see, you need vision" - Maxi Jazz
"Mike Ford" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On 30 January 2004 12:35, jimbo wrote:
>
> > Great - thanks v. much Mike. I don't know why there was no mention of
> > eval() in the section of the manual on Variable Parsing.
>
> Possibly because they didn't want to get into the security issues
involved.
> It sounds like you're ok there, as you only intend putting very controlled
> values into the database.
>
> The problem comes if you're potentially eval()-ing user-supplied values
that
> have been insufficiently validated. Just suppose, for example, that it
was
> possible for a user to somehow get a value such as 'system("rm
> /etc/passwds")' inserted into the database in a field that you then
> eval()...
>
> Cheers!
>
> Mike
>
> -
> Mike Ford, Electronic Information Services Adviser,
> Learning Support Services, Learning & Information Services,
> JG125, James Graham Building, Leeds Metropolitan University,
> Beckett Park, LEEDS, LS6 3QS, United Kingdom
> Email: [EMAIL PROTECTED]
> Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] looks like the spammers got through anyway
I've just received a 419 scam email to the email address I setup for posting to this forum. Looks like the safeguards have failed :-( James Holt -- www.jholt.co.uk : affordable business website solutions www.htpshareware.com : software for the disorganized "You don't needs eyes to see, you need vision" - Maxi Jazz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
