Entering PHP Code Directly into a Record
5 posts by 2 authors in: Forums > CMS Builder
Last Post: April 11, 2011 (RSS)
By Perchpole - April 11, 2011
Currently, if you enter some php code into a text box - such as...
<?php showme($record); ?>
...it would actually render as...
<!--?php showme($record); ?-->
Which makes it useless!
I assume this is some form of safety mechanism to ensure malicious code is not injected into pages. However, there are times when the ability to enter code into CMSB record directly would be most useful.
Is there any way we can achieve this? Could we not have a special "code" field type set-up in the Section Editors? Anything entered into it would be handled/run as proper php code.
:o/
Perchpole
Re: [Perchpole] Entering PHP Code Directly into a Record
By Dave - April 11, 2011
It is possible, but usually a really bad idea for security and usability reasons.
What are you trying to accomplish? Maybe there's a better or simpler way.
interactivetools.com
Re: [Dave] Entering PHP Code Directly into a Record
By Perchpole - April 11, 2011
I like to build modular sites which my clients can run with even limited experience. CMSB is a great framework for this. However, it would be even better if (in certain situations) instead of inputing data to create a record, the client could simply switch an option on and off. That way, all I'd need to do is set-up the code - whilst all the client would do is activate the option to invoke it.
The way things stand at the moment in order to achieve this I am forced to set-up quite lengthy if/elseif/else statements - each linked to countless included files - to pull in the bite-sized chunks of code I use to construct the different page elements.
Imagine, instead, if it were possible to set up a list in which the values were php includes. You could then prepare a list of options, each one set to pull in a different chunk of code.
The user could then change options on a per-record basis - everything from colours, to what appears in the margins to the entire page layout.
I think it would be an extremely flexible step forward.
:0)
Perch
Re: [Perchpole] Entering PHP Code Directly into a Record
By Dave - April 11, 2011
Well if you really want to do it, the way to run PHP code is like this:
<?php echo eval( $record['phpcode'] ); ?>
But I don't recommend that unless you absolutely trust everyone who has access to your CMS because you'll be giving them the ability to run any code on your server.
Another way, would be to have a list of include files and then include them like this:
if ($record['includeFile1']) { include "/includes/" .$record['includeFile1']. ".php"; }
And then you could add a security check to make sure it only contained letters or was in a list of pre-approved files.
So there's a few options. Hope that helps!
interactivetools.com
Re: [Dave] Entering PHP Code Directly into a Record
By Perchpole - April 11, 2011
And understood. I'll explore a lot further before I go live with this.
:0)
Perch