Allow Smarty PHP tags not Recommended

[web2008]

I have the following in a .tpl file

 

{php}

include('./file.php');

{/php}

 

and this works fine when Allow Smarty PHP tags is enabled.

 

Is there another way to use php code in tpl files if this is a security risk?

[sentq]

use ActionHooks instead, it should be easy, you will pass the result/output as variable to smarty, then use ex. {$myresult} to display this result in .tpl file

[web2008]

Thanks for the reply, but this is a bit over my expertise. Do you have an example that can help me get started?

[twhiting9275]

{php} in smarty has been pretty much taboo for a while now . Since v3, smarty has disabled this by default, and wisely so.

 

As sentq mentioned, you can use an action hook, pass this to the smarty system itself. It's really going to be hard to provide specifics unless you tell us what you're looking for here. I mean

include ("file.php")

 

is pretty generic, you know?

 

Take a look at Templates and Custom PHP logic or Template:Hook:ClientAreaPageActions . These should at least give you an idea on how to do this.

[web2008]

The "file.php" is a PHP script who generate passwords and that works fine with include ("file.php") and Smarty PHP tags enabled.

 

But I still do not understand completely how I can use Action Hooks instead.

[twhiting9275]

You'll want to consult with a developer then.

[brian!]

But I still do not understand completely how I can use Action Hooks instead.

Tom's right on this - you're either going to have to let us see the code within file.php or pay a developer to convert it for you.

[web2008]

What I was looking for was something that replaced

 

{php}

include('./file.php');

{/php}

 

This seems to work perfect, regardless of the code in "file.php" when Allow Smarty PHP tags is enabled.

 

But if I have to pay attention to what the code is in the php file, then it becomes a little more complex, or have I misunderstood?

 

I can not post the code for generating the password, as this is something I've bought, but what about the following example?

 

Please see the attachment!

 

This code works fine with the "include('./file.php');" in a .tpl file.

file.zip

[twhiting9275]

What you're after won't work any more. It's time to rethink things.

 

If you purchased the code from someone, talk to them, get them to redo the code properly so that it actually functions securely.

[web2008]

I realize that I have to think, but I'm not just talking about my specific php script, but the correct way to do this.

 

Using Smarty PHP tags is the very simple and as I understand it now, after several answers, the code in the php file must be converted to a ActionHook,

so I can display the result in the .tpl file. Is this correct or can the code in the php file still be used as it is?

 

Sorry all stupid questions, but everything must be learned!

[sentq]

the code in the php file must be converted to a ActionHook,

so I can display the result in the .tpl file. Is this correct?

yes this is correct, and this is what I mean in the first reply

[brian!]

What I was looking for was something that replaced

This seems to work perfect, regardless of the code in "file.php" when Allow Smarty PHP tags is enabled.

But if I have to pay attention to what the code is in the php file, then it becomes a little more complex, or have I misunderstood?

not only to what the code is, but where it's going to be used... e.g if it's to be used in the admin area, you need an admin action hook, and the opposite for the client area... and if it's only needed on a specific page, there may be a specific hook to use... context is important!

 

I can not post the code for generating the password, as this is something I've bought, but what about the following example?

This code works fine with the "include('./file.php');" in a .tpl file.

I looked at the code and my first thought was that it could probably be re-written in Smarty without the need for an action hook, but as it's only an example, i'm not going to waste time testing that.

 

there was an admin password hook posted in the thread below - but it's using javascript and probably not the best example if you wanted to convert your code - which I assume is all PHP.

 

https://forum.whmcs.com/showthread.php?91219-Free-Hook-Module-Random-Password-generator-for-admins&p=449690#post449690

 

Using Smarty PHP tags is the very simple and as I understand it now, after several answers, the code in the php file must be converted to a ActionHook,

AFAIK, using {php} tags in Smarty has always been considered potentially dangerous and frowned upon - it is today, and was when you bought your password code... the only difference is that v6 & v7 had warning messages about it's use - they would have done that because the option was removed from Smarty and, ultimately, will be removed from WHMCS.

 

when I first bought WHMCS and started using Smarty, every reference I found always said to avoid using {php} tags - it's a quick solution, but discouraged.

 

I don't think that it's any more dangerous to use your code today that it was when you bought it - but you now know that there is a potential risk in using it (which I assume you were unaware of when you initially bought it)... certainly, as the guys have said, it will HAVE to be converted to an action hook at some point if you want to continue to use the feature(s) it provides.