deactivate PHP in views

[eluser]Olivier69[/eluser]
Hello,

I develop a CMS and i need to open it to other people.

For security reasons, i would like to allow only HTML in views.

So i changed views extension from .php to .html, but PHP code is still interpreted.

Is there any way to change this situation ?

Thanks for help.

[eluser]patwork[/eluser]
Try http://www.electrictoolbox.com/disable-p...-htaccess/

[eluser]Olivier69[/eluser]
Hello,

Thank's for help.

I put a .htaccess file in the /application/views/ directory :

Code:

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

It doesn't work, PHP is not disabled.

Any other way ?

[eluser]patwork[/eluser]
Well, maybe it's not that easy. Views are loaded and executed in Loader class (system/core).

Code:

/**
* Loader
*
* This function is used to load views and files.
* Variables are prefixed with _ci_ to avoid symbol collision with
* variables made available to view files
*
* @access    private
* @param    array
* @return    void
*/
function _ci_load($_ci_data)

here's interesting part:

Code:

if ((bool) @ini_get('short_open_tag') === FALSE AND config_item('rewrite_short_tags') == TRUE)
{
    echo eval('?>'.preg_replace("/;*\s*\?>/", "; ?>", str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}
else
{
    include($_ci_path); // include() vs include_once() allows for multiple views with the same name
}

I'm afraid you'll need to change this, so views are not executed automatically. Remove 'eval' and change line with include to:

Code:

echo file_get_contents($_ci_path);

[eluser]Olivier69[/eluser]
Hello,

I also tryed this, sorry i should precise.

No result, PHP is still interpreted. And i'm suprised that this doesn't deactivate PHP.

Eval() is here to do it and my views are wiew.html

I really don't understand how to do this and i though CI gives this possibility. There are lots of cases where it's dangerous to live active PHP in views !

if someone knows about it ;-)

Thank's a lot

[eluser]patwork[/eluser]
Are you sure? I've just tested it and it's working for me.

#1 install clean CI instalation
#2 insert some <?php echo "im so dangerous"; ?> into application/views/welcome_message.php
#3 change include($_ci_path); to echo file_get_contents($_ci_path); in system/code/Loader.php
#4 run
...
PROFIT

You'll get all php source code in your browser.

[eluser]Olivier69[/eluser]
OK, super, it works !

sorry, i did something wrong.

Now, i put _ci_load() in a /application/core/My_loader.php file and everything is right.

I have to find a solution to initialise MY method _ci_load() only when we are on the front, not in the manager where we need PHP in views.

I'll try to find a solution, if somebody has, you can help me.

If i find one by myself, i will publish it here.

Thank's a lot for your help ;-)

[eluser]Olivier69[/eluser]
OK, i found a simple solution not to deactivate PHP in the back Office of the CMS.

I just check in /application/core/MY_Loader.php if the view path is 'manager' or not :

Code:

if(strrpos($_ci_path, 'views/'.$this->config->item('backend')) !== false)
{
     include($_ci_path); // include() vs include_once() allows for multiple views with the same name
}
else
{
     echo file_get_contents($_ci_path); // On désactive PHP dans les vues du Frontend
}

It's not very elegant but it works.

Thank's for help, really.