Welcome Guest, Not a member yet? Register   Sign In
template engine?
#1

Hi all,

I'm slowly going through the codeigniter manual. In the tutorial it states:

CodeIgniter does not require you to use this class since using pure PHP in your view pages lets them run a little faster. However, some developers prefer to use a template engine if they work with designers who they feel would find some confusion working with PHP.

However, my understanding was that by substituting PHP variables as plain text and removing any other PHP scripts before being rendered by the browser was a much more secure way of handling views.

My question is: does the templating engine with codeigniter prevent PHP scripts within views? And/Or, does codeigniter sanitize PHP echoes when they are called directly from the view?
Reply
#2

No and no, but there's no problem with that. Also, if you're working with a "designer" that isn't comfortable around php, a funky template language isn't going to help. You just need to work with more experienced people.
Reply
#3

(05-25-2016, 06:54 PM)skunkbad Wrote: No and no, but there's no problem with that. Also, if you're working with a "designer" that isn't comfortable around php, a funky template language isn't going to help. You just need to work with more experienced people.

I agree with you, PHP is something you would need even designers to be comfortable with.

However, surely it is a security risk, being able to execute PHP code in a view? I think I prefer all business logic entirely separate, and I just wondered whether there was a method in Codeigniter to strip views of PHP code when a user was utilising the template parser.

I suppose I could use the NGINX config file to manage this. I really only mention it because I've been doing some work with Drupal lately and I know that their ideology is that PHP shouldn't be executed in a view.
Reply
#4

(05-26-2016, 02:58 PM)winers1290 Wrote:
(05-25-2016, 06:54 PM)skunkbad Wrote: No and no, but there's no problem with that. Also, if you're working with a "designer" that isn't comfortable around php, a funky template language isn't going to help. You just need to work with more experienced people.

I agree with you, PHP is something you would need even designers to be comfortable with.

However, surely it is a security risk, being able to execute PHP code in a view? I think I prefer all business logic entirely separate, and I just wondered whether there was a method in Codeigniter to strip views of PHP code when a user was utilising the template parser.

I suppose I could use the NGINX config file to manage this. I really only mention it because I've been doing some work with Drupal lately and I know that their ideology is that PHP shouldn't be executed in a view.

No it's not, when the html runs PHP is not visible to the users. Do a page view when you go to any site that uses PHP.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

there are different levels of 'executing' - from horrible to questionable in a view file:
call a database with raw php code and your user name and password exposed
call a model and get a database result
check a variable to see if someone is logged in
check a variable to see if its not empty
==========
versus these which are relatively safe:
echo out a variable that you have already qualified
echo out a foreach on an array or object that has been qualified

other considerations - your application folder and system folder are above the public root
you are using codeigniter form validation, form helper, and query builders so everything is getting sanitized
you are sanitizing other types of output if it comes from users
Reply
#6

(05-27-2016, 03:31 AM)InsiteFX Wrote:
(05-26-2016, 02:58 PM)winers1290 Wrote:
(05-25-2016, 06:54 PM)skunkbad Wrote: No and no, but there's no problem with that. Also, if you're working with a "designer" that isn't comfortable around php, a funky template language isn't going to help. You just need to work with more experienced people.

I agree with you, PHP is something you would need even designers to be comfortable with.

However, surely it is a security risk, being able to execute PHP code in a view? I think I prefer all business logic entirely separate, and I just wondered whether there was a method in Codeigniter to strip views of PHP code when a user was utilising the template parser.

I suppose I could use the NGINX config file to manage this. I really only mention it because I've been doing some work with Drupal lately and I know that their ideology is that PHP shouldn't be executed in a view.

No it's not, when the html runs PHP is not visible to the users. Do a page view when you go to any site that uses PHP.

I wasn't meaning the risk is that someone could see your PHP code, that's obviously protected server side. More that if an attacker managed to get write access to the view file, it's an easy way to execute some code or make use of $_SERVER outputs (if used), for example.

But as already mentioned by caralot, as long as everything is properly sanitised, it looks like the risk is minimal.
Reply
#7

If someone get write access to the view file, you have other problems, because the person have write access to the controller too.
Reply
#8

sanitizing is important but the most important point is - your application folder with the view files - and the system folder - are above the public html folder. then it eliminates the issue. if they have access to that level then they own the server, and they aren't going to be using your files.
Reply
#9

(05-28-2016, 12:21 PM)cartalot Wrote: sanitizing is important but the most important point is - your application folder with the view files - and the system folder - are above the public html folder. then it eliminates the issue.  if they have access to that level then they own the server, and they aren't going to be using your files.

I agree with you, I prefer to route view files which is your html to another directory that has specific permission
God Bless CI Contributors Smile
Reply
#10

I am not a designer, but I got to hate writing PHP-views. :-) Although PHP is thought as a template language, as such it is a failure, I think.

Here is what I can say:

1. A specialized template language is needed, nevertheless how designers feel comfortable with PHP. Even, it could be partially portable outside PHP-systems.

2. CodeIgniter's policy about escaping has changed, escaping should be at output. A template engine with enabled by default HTML-escaping would give comfort in this situation. Otherwise it is not certain how carefully view's PHP code would be written. Built-in escaping for other contexts as HTML-attributes, JavaScript, etc. could be handy too.

3. A sophisticated template engine adds more value to programming than just arrangement relationships between programmers and designers. Seek for block-support, blocks could be defined in an abstract way and placed and moved wherever you like in your master template, a concrete controller can fill them with the concrete information.

A good template engine will allow you to clear your controllers from any visual design aspects - this is not achieved by me yet, due to maintaining BC, but it is achievable.

4. The CI3 built-in parser is quite minimalistic, it does not add significant value in comparison with the pure PHP-views. Better don't waste your time with it. Carefully pick up a third-party template engine and integrate it within your application.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB