如何在 MySQL 表中存储可执行的 PHP 代码？ [关闭]

我有一个博客，我将帖子存储在 MySQL 表中。我希望帖子是动态的，特别是，我希望帖子接受电子邮件地址作为用户输入，并在提交后检查该电子邮件地址是否在我的订阅者列表中，该列表也已存储在 MySQL 表中。

我创建了一个不存在于 MySQL 中的页面，它具有我想要的所有功能：工作的非 MySQL 页面，其代码是 (1)：

<?php $str_include ='include \'includes/Ifrit.php\';'; $str_post_email = 'if (isset($_POST[\'ifrit_email\'])) { echo \' value="\'.$_POST[\'ifrit_email\'].\'"\'; }'; eval($str_include);?><div><img src='https://www.ocetacea.net/pjamesnorris/img/Bat-Signal.gif' alt='Michael Keaton reacting to the Bat-Signal' height='100' style='float:left; margin:10px;'>As I wrote in my email regarding this blog posting, I am desperately asking all willing subscribers to give me notes on a 3,300 word short story entitled "The Ifrit". It's currently a Semi-Finalist in the <a href='https://screencraft.org/blog/2023-screencraft-cinematic-short-story-competition-semifinalists/' target='_blank' style='color:white; text-decoration:none;'>Screencraft Cinematic Short Story Competition</a> and I'd like <i>very</i> much like to see it advance to the Finals.</div><p>And then win the competition, of course! 😇<p>I hope "The Ifrit" will be my first SFWA qualifying story, so I can't post it because most SFWA magazines won't accept previously "published" stories, or, if they do, they don't pay SFWA-qualifiying rates.</p><p>But what I can do is email it to you if you are a subscriber, enter your email address and click on "submit".<div style='text-align:center;'><form name="ifrit" action="" method="post" ><input name="ifrit_email" type="email" placeholder="email" style="font-family:Bradley Hand !important;" <?php eval($str_post_email); ?>><br /><input name="submit" type="submit" value="submit"></form></div>

（我很抱歉这不是很好的格式，但我为我的博客自制的 CMS 无法处理 CR/LF 或标签。）

其中

Ifrit.php

是（2）：

<?php

if (isset($_POST)) 
{   
    if (isset($_POST['ifrit_email']))
    { 
        $str_email = filter_var($_POST['ifrit_email'], FILTER_SANITIZE_EMAIL); 
        if (filter_var($str_email, FILTER_VALIDATE_EMAIL)) 
        { 
            $query_subscriber = 'select Name_First, Name_Last from Recipient where email=?'; 
            $stmnt_subscriber = mysqli_prepare($icnt_db, $query_subscriber);
            $rsc_subscriber = mysqli_stmt_bind_param($stmnt_subscriber, 's', $str_email);
            mysqli_stmt_execute($stmnt_subscriber);
            if (mysqli_num_rows($rsc_subscriber) == 1) 
            { 
                $row_subscriber = mysqli_fetch_assoc($rsc_subscriber); 

                $str_subject = 'Thanks for giving me notes on "The Ifrit"!';
                
                $str_body = $row_subscriber['Name_First'].',<br /><br />Thanks for giving me notes on "The Ifrit"!<p>You can download the MS Word version <a href="https://www.ocetacea.net/pjamesnorris/downloads/The Ifrit - 3300 words.docx">here</a> and the pdf version <a href="https://www.ocetacea.net/pjamesnorris/downloads/The Ifrit - 3300 words.pdf" target="_blank">here</a>.</p><p>I really cannot tell you how much I appreciate your notes!</p>Have a care,<br />P James Norris<br />homepage: <a href="https://www.ocetacea.net/pjamesnorris/">www.ocetacea.net/pjamesnorris/</a><br />linkedin: <a href="https://www.linkedin.com/in/pjamesnorris">www.linkedin.com/in/pjamesnorris</a><br /><br />Perhaps we are the first to talk and think and build and aspire, but we may not be the last. Others may follow us in this adventure... We owe it to that possible future to let their potential survive.<br />-David Brin\'';


                email(
                    $str_email, 
                    $row_subscriber['Name_First'], 
                    $row_subscriber['Name_Last'], 
                    $str_subject, 
                    $str_body, 
                    NULL, 
                    NULL
                );  
            } // if (mysqli_num_rows($rsc_subscriber) == 1)
            else 
            { 
                echo '<script>alert("Sorry, but in order to keep some sort of control over \"The Ifrit\", I\'m only allowing subscribers to download the story. If you want to give me notes--and I REALLY want you to!--please subscribe to my blog.");</script>';  
            } // if (mysqli_num_rows($rsc_subscriber) == 1) else
        } // if (filter_var($str_email, FILTER_VALIDATE_EMAIL)) 
        else 
        { 
            echo '<script>alert("It looks like the email you submitted is invalid. Is there, perhaps, a typo?");</script>'; 
        } // if (filter_var($str_email, FILTER_VALIDATE_EMAIL)) else
    } // if (isset($_POST['email']))
} // if (isset($_POST))

?>

如您所见，它执行以下操作：

1. 如果用户输入格式不正确的电子邮件地址，浏览器会告诉她/他已经这样做了（通过

   type="email"

   ）。
2. 但是对于那些不支持

   type="email"

   的浏览器，

   Ifrit.php

   检查格式错误的电子邮件地址并抛出一个 javascript

   alert()

   告诉用户他/她提交的电子邮件地址格式错误。
3. 如果浏览器不支持

   type="email"

   ，用户提交的电子邮件地址会在电子邮件输入字段中回显via PHP，这样用户就可以看到他/她格式不正确的电子邮件地址，而不必问他/她自己，“我输入的内容 有什么问题？”

我的问题是，当我使用以下方法将 (1) 存储在我的 MySQL 表中时：

$query_update = 'update Blog set'
    .' date="'.htmlspecialchars($_POST['date'], ENT_QUOTES).'",'
    .' title="'.htmlspecialchars($_POST['title'], ENT_QUOTES).'",'
    .' summary="'.$str_summary.'",'
    .' entry=?,'
    .' keyword="'.htmlspecialchars($_POST['keyword'], ENT_QUOTES).'"'
    .' where _id='.((isset($_GET['_id'])) ? $_GET['_id'] : $_POST['_id']);
$stmnt_update = mysqli_prepare($icnt_db, $query_update);
mysqli_stmt_bind_param($stmnt_update, 's', $str_entry);
mysqli_stmt_execute($stmnt_update);

地点：

$str_entry = <?php $str_include ='include 'includes/Ifrit.php';'; $str_post_email = 'if (isset($_POST['ifrit_email'])) { echo ' value="'.$_POST['ifrit_email'].'"'; }'; eval($str_include);
?><div><img src='https://www.ocetacea.net/pjamesnorris/img/Bat-Signal.gif' alt='Michael Keaton reacting to the Bat-Signal' height='100' style='float:left; margin:10px;'>As I wrote in my email regarding this blog posting, I am desperately asking all willing subscribers to give me notes on a 3,300 word short story entitled "The Ifrit". It's currently a Semi-Finalist in the <a href='https://screencraft.org/blog/2023-screencraft-cinematic-short-story-competition-semifinalists/' target='_blank' style='color:white; text-decoration:none;'>Screencraft Cinematic Short Story Competition</a> and I'd like <i>very</i> much like to see it advance to the Finals.</div><p>And then win the competition, of course! 😇<p>I hope "The Ifrit" will be my first SFWA qualifying story, so I can't post it because most SFWA magazines won't accept previously "published" stories, or, if they do, they don't pay SFWA-qualifiying rates.</p><p>But what I can do is email it to you if you are a subscriber, enter your email address and click on "submit".<div style='text-align:center;'><form name="ifrit" action="" method="post" ><input name="ifrit_email" type="email" placeholder="email" style="font-family:Bradley Hand !important;" <?php eval($str_post_email); ?>><br /><input name="submit" type="submit" value="submit"></form></div>

为@ADyson添加

=====

与(1)相呼应的PHP是：

echo str_repeat('   ',   $int_indent).htmlspecialchars_decode($row_blog['entry'], ENT_QUOTES)."\n";

====

这两个

eval()

似乎无法正常工作，您可以通过转到 非功能性博客条目 看到。如果您查看页面源代码，您会看到第一个

eval()

是灰色的，而第二个

eval()

不是，它不能正常工作，即，它不会

echo

用户不当形成的电子邮件地址。

明确地说，我的问题是：如何在我的 MySQL 表中包含 PHP 代码，以便在呈现此博客文章时执行 PHP？

如果你想告诉我使用

eval()

是邪恶的，很好，但是请：

一个。详细解释为什么就我而言是这样，并且

乙。请给出详细，可操作关于如何避免使用它的建议就我而言.

如果以上任何内容不清楚，请单击提供的两个超链接，查看这两个页面的源代码，我认为这将非常清楚我想要实现的目标以及无法按我希望的方式工作的目标.

任何帮助将不胜感激！