deactivate PHP in views - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: deactivate PHP in views (/showthread.php?tid=40530) |
deactivate PHP in views - El Forum - 04-11-2011 [eluser]Olivier69[/eluser] Hello, I develop a CMS and i need to open it to other people. For security reasons, i would like to allow only HTML in views. So i changed views extension from .php to .html, but PHP code is still interpreted. Is there any way to change this situation ? Thanks for help. deactivate PHP in views - El Forum - 04-12-2011 [eluser]patwork[/eluser] Try http://www.electrictoolbox.com/disable-php-apache-htaccess/ deactivate PHP in views - El Forum - 04-12-2011 [eluser]Olivier69[/eluser] Hello, Thank's for help. I put a .htaccess file in the /application/views/ directory : Code: RemoveHandler .php .phtml .php3 Any other way ? deactivate PHP in views - El Forum - 04-12-2011 [eluser]patwork[/eluser] Well, maybe it's not that easy. Views are loaded and executed in Loader class (system/core). Code: /** here's interesting part: Code: if ((bool) @ini_get('short_open_tag') === FALSE AND config_item('rewrite_short_tags') == TRUE) I'm afraid you'll need to change this, so views are not executed automatically. Remove 'eval' and change line with include to: Code: echo file_get_contents($_ci_path); deactivate PHP in views - El Forum - 04-12-2011 [eluser]Olivier69[/eluser] Hello, I also tryed this, sorry i should precise. No result, PHP is still interpreted. And i'm suprised that this doesn't deactivate PHP. Eval() is here to do it and my views are wiew.html I really don't understand how to do this and i though CI gives this possibility. There are lots of cases where it's dangerous to live active PHP in views ! if someone knows about it ;-) Thank's a lot deactivate PHP in views - El Forum - 04-12-2011 [eluser]patwork[/eluser] Are you sure? I've just tested it and it's working for me. #1 install clean CI instalation #2 insert some <?php echo "im so dangerous"; ?> into application/views/welcome_message.php #3 change include($_ci_path); to echo file_get_contents($_ci_path); in system/code/Loader.php #4 run ... PROFIT You'll get all php source code in your browser. deactivate PHP in views - El Forum - 04-12-2011 [eluser]Olivier69[/eluser] OK, super, it works ! sorry, i did something wrong. Now, i put _ci_load() in a /application/core/My_loader.php file and everything is right. I have to find a solution to initialise MY method _ci_load() only when we are on the front, not in the manager where we need PHP in views. I'll try to find a solution, if somebody has, you can help me. If i find one by myself, i will publish it here. Thank's a lot for your help ;-) deactivate PHP in views - El Forum - 04-12-2011 [eluser]Olivier69[/eluser] OK, i found a simple solution not to deactivate PHP in the back Office of the CMS. I just check in /application/core/MY_Loader.php if the view path is 'manager' or not : Code: if(strrpos($_ci_path, 'views/'.$this->config->item('backend')) !== false) Thank's for help, really. |