Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Can I restrict the type of php functions and variables usable in a view?
Can I restrict the type of php functions and variables usable in a view?
  • El Forum
    Guest
  •  
#1
01-14-2008, 01:27 PM

[eluser]doors[/eluser]
I am creating a web application where users will be able to add their own template to the website.

For security puposes I wouldn't want them to be able to use certain php functions and variables. Can I restrict this?
  • El Forum
    Guest
  •  
#2
01-14-2008, 01:31 PM

[eluser]Michael Wales[/eluser]
I wouldn't let them use any PHP at all. I would have them use a templating language (CI has one built-in) and then parse their input.

There are just to many security holes if you let them use PHP. You will never block them from everything (and, depending on your target audience, your likely to find your users are more comfortable with the template language than with PHP).
  • El Forum
    Guest
  •  
#3
01-14-2008, 01:48 PM

[eluser]doors[/eluser]
Thanks for your response.

I thought CI had no templating engine. Is is similar to smarty?

How functional is it in terms of what can it do?
  • El Forum
    Guest
  •  
#4
01-14-2008, 02:03 PM

[eluser]doors[/eluser]
Another question is how I do disable php within the view files?
  • El Forum
    Guest
  •  
#5
01-14-2008, 02:06 PM

[eluser]doors[/eluser]
Is there a addon for smarty?
  • El Forum
    Guest
  •  
#6
01-14-2008, 02:18 PM

[eluser]Developer13[/eluser]
Is this an application that you will host centrally and give users the ability to modify their templates or is this something you are going to distribute and let the users have? If you are going to distribute it, I don't know that I would disallow PHP from being used in the view files... but I certainly would if you are going to host it centrally.
  • El Forum
    Guest
  •  
#7
01-14-2008, 02:29 PM

[eluser]Michael Wales[/eluser]
Quote:Another question is how I do disable php within the view files?

It depends on your application - I am assuming you are providing a form in which user's will enter their template, submit the form, and it is saved to your server in some manner (either a database or as a view file). If this is the case, strip_tags() is a great place to start.

Quote:I thought CI had no templating engine. Is is similar to smarty?
The template parser documentation.

Search the forums/wiki for Smarty implementation - I would be amazed if this has not been addressed before.
  • El Forum
    Guest
  •  
#8
01-14-2008, 02:33 PM

[eluser]doors[/eluser]
[quote author="Developer13" date="1200363498"]Is this an application that you will host centrally and give users the ability to modify their templates or is this something you are going to distribute and let the users have? If you are going to distribute it, I don't know that I would disallow PHP from being used in the view files... but I certainly would if you are going to host it centrally.[/quote]


I will be hosting the application centrally and users will be able to provide templates to modify the design of the the site.




Theme © iAndrew 2016 - Forum software by © MyBB