Jump to content
web2008

Allow Smarty PHP tags not Recommended

Recommended Posts

I have the following in a .tpl file

 

{php}

include('./file.php');

{/php}

 

and this works fine when Allow Smarty PHP tags is enabled.

 

Is there another way to use php code in tpl files if this is a security risk?

Share this post


Link to post
Share on other sites

use ActionHooks instead, it should be easy, you will pass the result/output as variable to smarty, then use ex. {$myresult} to display this result in .tpl file

Share this post


Link to post
Share on other sites

Thanks for the reply, but this is a bit over my expertise. Do you have an example that can help me get started?

Share this post


Link to post
Share on other sites

{php} in smarty has been pretty much taboo for a while now ;) . Since v3, smarty has disabled this by default, and wisely so.

 

As sentq mentioned, you can use an action hook, pass this to the smarty system itself. It's really going to be hard to provide specifics unless you tell us what you're looking for here. I mean

include ("file.php")

 

is pretty generic, you know?

 

Take a look at Templates and Custom PHP logic or Template:Hook:ClientAreaPageActions . These should at least give you an idea on how to do this.

Share this post


Link to post
Share on other sites

The "file.php" is a PHP script who generate passwords and that works fine with include ("file.php") and Smarty PHP tags enabled.

 

But I still do not understand completely how I can use Action Hooks instead.

Share this post


Link to post
Share on other sites
But I still do not understand completely how I can use Action Hooks instead.

Tom's right on this - you're either going to have to let us see the code within file.php or pay a developer to convert it for you.

Share this post


Link to post
Share on other sites

What I was looking for was something that replaced

 

{php}

include('./file.php');

{/php}

 

This seems to work perfect, regardless of the code in "file.php" when Allow Smarty PHP tags is enabled.

 

But if I have to pay attention to what the code is in the php file, then it becomes a little more complex, or have I misunderstood?

 

I can not post the code for generating the password, as this is something I've bought, but what about the following example?

 

Please see the attachment!

 

This code works fine with the "include('./file.php');" in a .tpl file.

file.zip

Share this post


Link to post
Share on other sites

What you're after won't work any more. It's time to rethink things.

 

If you purchased the code from someone, talk to them, get them to redo the code properly so that it actually functions securely.

Share this post


Link to post
Share on other sites

I realize that I have to think, but I'm not just talking about my specific php script, but the correct way to do this.

 

Using Smarty PHP tags is the very simple and as I understand it now, after several answers, the code in the php file must be converted to a ActionHook,

so I can display the result in the .tpl file. Is this correct or can the code in the php file still be used as it is?

 

Sorry all stupid questions, but everything must be learned!

Share this post


Link to post
Share on other sites
the code in the php file must be converted to a ActionHook,

so I can display the result in the .tpl file. Is this correct?

yes this is correct, and this is what I mean in the first reply :idea:

Share this post


Link to post
Share on other sites
What I was looking for was something that replaced

This seems to work perfect, regardless of the code in "file.php" when Allow Smarty PHP tags is enabled.

But if I have to pay attention to what the code is in the php file, then it becomes a little more complex, or have I misunderstood?

not only to what the code is, but where it's going to be used... e.g if it's to be used in the admin area, you need an admin action hook, and the opposite for the client area... and if it's only needed on a specific page, there may be a specific hook to use... context is important!

 

I can not post the code for generating the password, as this is something I've bought, but what about the following example?

This code works fine with the "include('./file.php');" in a .tpl file.

I looked at the code and my first thought was that it could probably be re-written in Smarty without the need for an action hook, but as it's only an example, i'm not going to waste time testing that. :)

 

there was an admin password hook posted in the thread below - but it's using javascript and probably not the best example if you wanted to convert your code - which I assume is all PHP.

 

https://forum.whmcs.com/showthread.php?91219-Free-Hook-Module-Random-Password-generator-for-admins&p=449690#post449690

 

Using Smarty PHP tags is the very simple and as I understand it now, after several answers, the code in the php file must be converted to a ActionHook,

AFAIK, using {php} tags in Smarty has always been considered potentially dangerous and frowned upon - it is today, and was when you bought your password code... the only difference is that v6 & v7 had warning messages about it's use - they would have done that because the option was removed from Smarty and, ultimately, will be removed from WHMCS.

 

when I first bought WHMCS and started using Smarty, every reference I found always said to avoid using {php} tags - it's a quick solution, but discouraged.

 

I don't think that it's any more dangerous to use your code today that it was when you bought it - but you now know that there is a potential risk in using it (which I assume you were unaware of when you initially bought it)... certainly, as the guys have said, it will HAVE to be converted to an action hook at some point if you want to continue to use the feature(s) it provides.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated