deactivate PHP in views |
[eluser]Olivier69[/eluser]
Hello, I develop a CMS and i need to open it to other people. For security reasons, i would like to allow only HTML in views. So i changed views extension from .php to .html, but PHP code is still interpreted. Is there any way to change this situation ? Thanks for help.
[eluser]patwork[/eluser]
Try http://www.electrictoolbox.com/disable-p...-htaccess/
[eluser]Olivier69[/eluser]
Hello, Thank's for help. I put a .htaccess file in the /application/views/ directory : Code: RemoveHandler .php .phtml .php3 Any other way ?
[eluser]patwork[/eluser]
Well, maybe it's not that easy. Views are loaded and executed in Loader class (system/core). Code: /** here's interesting part: Code: if ((bool) @ini_get('short_open_tag') === FALSE AND config_item('rewrite_short_tags') == TRUE) I'm afraid you'll need to change this, so views are not executed automatically. Remove 'eval' and change line with include to: Code: echo file_get_contents($_ci_path);
[eluser]Olivier69[/eluser]
Hello, I also tryed this, sorry i should precise. No result, PHP is still interpreted. And i'm suprised that this doesn't deactivate PHP. Eval() is here to do it and my views are wiew.html I really don't understand how to do this and i though CI gives this possibility. There are lots of cases where it's dangerous to live active PHP in views ! if someone knows about it ;-) Thank's a lot
[eluser]patwork[/eluser]
Are you sure? I've just tested it and it's working for me. #1 install clean CI instalation #2 insert some <?php echo "im so dangerous"; ?> into application/views/welcome_message.php #3 change include($_ci_path); to echo file_get_contents($_ci_path); in system/code/Loader.php #4 run ... PROFIT You'll get all php source code in your browser.
[eluser]Olivier69[/eluser]
OK, super, it works ! sorry, i did something wrong. Now, i put _ci_load() in a /application/core/My_loader.php file and everything is right. I have to find a solution to initialise MY method _ci_load() only when we are on the front, not in the manager where we need PHP in views. I'll try to find a solution, if somebody has, you can help me. If i find one by myself, i will publish it here. Thank's a lot for your help ;-)
[eluser]Olivier69[/eluser]
OK, i found a simple solution not to deactivate PHP in the back Office of the CMS. I just check in /application/core/MY_Loader.php if the view path is 'manager' or not : Code: if(strrpos($_ci_path, 'views/'.$this->config->item('backend')) !== false) Thank's for help, really. |
Welcome Guest, Not a member yet? Register Sign In |