0

I've got a database full of text fields, all of which contain WITHIN them the characters $myvariable. When I retrieve such text field and save it as a php variable, say as $myDBtext, I can definitely echo it, but I'm having really hard time echoing the variable WITHIN it (I got $myvariable's value already set). That is, I can't display the value of $myvariable. It just writes $myvariable but not its value... How can I display $myvariable's value?

<?php echo $myDBtext;?>

just displays the entire text, writing $myvariable but not its value.

<?php echo "<?php echo '".$myDBtext."' ?>";?>

doesn't display anything.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Daniel F
  • 1
  • It sounds like you're storing text which you want to be treated as executable PHP code (i.e. so the variables would be interpolated, their values presumably being taken from a variable of the same name already declared elsewhere in the script into which this data is loaded), is that correct? You _could_ in theory do it with [eval()](https://www.php.net/manual/en/function.eval.php) but that's a really, really, really bad idea for your application's security and no-one with any sense will recommend it. – ADyson Jan 11 '23 at 11:53
  • Is there any specific reason you're doing it this way? It would probably be better to use an established templating engine. – ADyson Jan 11 '23 at 11:54
  • @ADyson you're absolutely correct. Is there any alternative to eval() you might think of? I already have this database set, and changing it would require quite a work. So obviously it'd be best to use the table I've already got. If I'm not changing the database AT ALL and don't insert there anything affected by user input (not inserting there anything at all actually), is it still dangerous? Thank you so much for helping me. – Daniel F Jan 11 '23 at 12:05
  • Like I said above, it would make more sense to use an established templating engine. But if you can 100% guarantee that the values stored in the database which you're executing never include anything you didn't write yourself, then you could say it was safe. But then if you were going to do that, you could probably just hard-code it all as PHP functions anyway. – ADyson Jan 11 '23 at 12:08

0 Answers0