| Author |
RE: [PHP-DB] Generating forms and form elements
|
|
| Bastien Koert 2006-06-24, 8:01 am |
|
eval$code);
bastien
>From: Mark Fellowes <Zanoni@goowy.com>
>Reply-To: Mark Fellowes <Zanoni@goowy.com>
>To: php-db@lists.php.net
>Subject: [PHP-DB] Generating forms and form elements
>Date: Tue, 20 Jun 2006 15:37:10 GMT
>
>Hi, Hitting up the list for maybe a decent link(s) or pointers.
>I need to figure out how to generate forms and form elements from php code
>inside database tables. Hope this makes sense. It's not a complete picture
>of what I need to do but the first step I'll need to take.
>
>TIA
>Mark
| |
| Bastien Koert 2006-06-24, 8:01 am |
| whoops
eval ($code);
Bastien
>From: "Bastien Koert" <bastien_k@hotmail.com>
>To: Zanoni@goowy.com, php-db@lists.php.net
>Subject: RE: [PHP-DB] Generating forms and form elements
>Date: Tue, 20 Jun 2006 16:44:22 -0400
>
>
>eval$code);
>
>bastien
>
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>
| |
|
| Bastien Koert wrote:
> whoops
>
> eval ($code);
Someone relatively famous[1] once said "If eval is the answer then
you're asking the wrong question."
The eval function is dangerous. Extremely dangerous. From every point of
view there is. If there's another way to do what you're doing (and there
almost always is), do that instead. In this case a description of the
form would be a better thing to store in the DB rather than the code to
generate it.
-Stut
[1] Rasmus, a while back, can't recall when, but it stuck in my mind
> Bastien
>
>
>
| |
| Bastien Koert 2006-06-24, 8:01 am |
|
Not commenting on the appropriateness or security of the eval function.
Merely offering a possible path. It is up to the OP to decide if that
solution is the correct one.
B
>From: Stut <stuttle@gmail.com>
>To: Bastien Koert <bastien_k@hotmail.com>
>CC: Zanoni@goowy.com, php-db@lists.php.net
>Subject: Re: [PHP-DB] Generating forms and form elements
>Date: Tue, 20 Jun 2006 22:09:06 +0100
>
>Bastien Koert wrote:
>
>Someone relatively famous[1] once said "If eval is the answer then you're
>asking the wrong question."
>
>The eval function is dangerous. Extremely dangerous. From every point of
>view there is. If there's another way to do what you're doing (and there
>almost always is), do that instead. In this case a description of the form
>would be a better thing to store in the DB rather than the code to generate
>it.
>
>-Stut
>
>[1] Rasmus, a while back, can't recall when, but it stuck in my mind
>
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>
| |
|
| Bastien Koert wrote:
> Not commenting on the appropriateness or security of the eval function.
> Merely offering a possible path. It is up to the OP to decide if that
> solution is the correct one.
I would accept that if you'd mentioned, or at least hinted at the issues
that need to be addressed when using eval. You didn't so I thought it
needed to be pointed out. I think we, as a community, have a
responsibility to point out the potential security and stability
pitfalls of the possible solutions we provide. But that's just me.
-Stut
| |
|
| Micah Stevens wrote:
> Stut wrote:
>
> Last time I handed someone a rope, I didn't tell them to not hang
> themselves. :)
Then you assumed they knew what a rope was and that it's generally a bad
idea to use it to suspend themselves in the air by their neck. Likewise
you assumed the OP knew that eval was dangerous.
-Stut
| |
| Micah Stevens 2006-06-24, 8:01 am |
| Stut wrote:
> Micah Stevens wrote:
>
> Then you assumed they knew what a rope was and that it's generally a
> bad idea to use it to suspend themselves in the air by their neck.
> Likewise you assumed the OP knew that eval was dangerous.
>
> -Stut
Exactly.
|
|
|
|