Welcome Guest, Not a member yet? Register   Sign In
Secure templates?
#1

[eluser]Unknown[/eluser]
Hi there,

I'm new to CodeIgniter and noticed that the templates include php code, which is great, since they work faster and make it easier to deal with them.

But, is it possible to somehow restrict the functionality of the php that is run on a template?

I hire artists to do the interface work in my projects, and I give them access to the templates directory so they can upload files and test them easily. But if those templates are php templates then they could also execute code that could compromise the security (or even steal the data, or the sources). I guess the simplest solution is to use a template engine, but I love the fact that the template can include php code, is just I'd like it to be restricted to certain functions only. I'm not sure if thats possible at all, and in case its not, which kind of security measures do you take?

Thanks in advance
#2

[eluser]InsiteFX[/eluser]
Hi,

You could use an auth system and check to see if they are a tester etc.

You would check this in your controller.

This way you could still just past the $data array to your view and in your view still allow php code but you would be controlling the code from your controller.

Enjoy
InsiteFX
#3

[eluser]Unknown[/eluser]
Thanks for your reply!

Unfortunatelly I dont understand how can this prevent the templates from using functions I dont want them to use, ie. file()
#4

[eluser]InsiteFX[/eluser]
The auth library will allow you to restict access to parts of your controller.

A good Auth library will have either roles or groups which you can assign users to.

Example:

Role - Admin
Role - Editor
Role - Designer

Then you would wrap your code around these roles.

As above the designer can not access any parts that are allowed for Editor and Admin.

Here is a good one:

http://programmersvoice.com/codeigniter/...rary-1-0-6

Enjoy
InsiteFX
#5

[eluser]Phil Sturgeon[/eluser]
There is no way to filter what PHP somebody can use... well... REALLY really f**king difficult.

Code:
file();
// same as
{'fi' . 'le'}();
// same as
$foo = 'lE';
$bar = 'FI';
{strtolower($bar . $foo)}();

See what I'm getting at?




Theme © iAndrew 2016 - Forum software by © MyBB