Possibility of storing ASP Classic code as a string in MYSQL database [duplicate]

Question

Is it possible to store asp classic code into a MYSQL database and have it execute the code when its pulled? Such as store a variable name into a string and have it execute the ASP before displaying it? I suspect it is either impossible, since the MYSQL request runs after the page is loaded and so the return data will not be execute and will just the variable name. The other thing is it could be an HTML encoding thing where it might be possible to encode it after you pass it to the MYSQL Server, but so far it just reads the variable name. Any ideas on this, is this impossible, or am I derping the encoding somehow:

I have tried using the encoding method like this using a Chr replace function that works elsewhere, but the use of the function is like this: NEWSTRING = Server.HtmlEncode(OLDSTRING)

With or without the encoding attempt the results just display the ASP Classic code like this: MESSAGE TO USER <%=Session("var_FOO")%>

---

Although the Encode doesn't seem to change the string displayed to the screen, the log result shows the encoding attempt, it doesn't put the data in, but converts the character types sort of like this: "var_Foo"

I may be barking up the wrong tree with the encoding but if you have a hammer you can try smacking some screws until they go in.

---

This feature has a pin tack in for me at the moment, as a much more simple way is to just store the string in the database as I have been and just add the variables to the string after its pulled instead of putting them into the database. Granted this means the user can't control the error messages with variables tied to it, but meh I think I can live with that.

Answer 1

Yes, it's possible. Classic ASP offers Eval, Execute, and ExecuteGlobal methods, to which you can pass a text string containing source code.

It's dangerous on a public-facing web site to do this; a cybercreep can, if he figures out how to write arbitary code into your database table, destroy, corrupt, or hijack your app. You're not paranoid: highly motivated strangers are actually plotting against you and looking for sites that work this way. Be careful.

Eval(codeText) runs an expression and returns the result. ExecuteGlobal(codeText) runs it as if it were in the top-level context. Execute(codeText) runs it in the context (the subroutine or function) where you invoke it.