[nycphp-talk] Looking for a PHP equivalent to Perl Text::Templ ate
Chris Snyder
chris at psydeshow.org
Tue May 6 12:40:33 EDT 2003
Malcolm, Gary wrote:
>does this strike anyone as a little dangerous? hiding executable code that
>operates at the same level of permissions amongst text files could get
>confusing in large batches... especially if the replacement gets complex.
>
>
TRUE-- you should add slashes to $template before eval()ing it in order
to escape any quotes that would allow executable statements.
>>$template= file_get_contents("/path/to/template.html");
>>
>> $template= addslashes($template); // important!
>>$command= "\\$output= \\"$template\\";";
>>eval($command);
>>print $output;
>>
Given that correction I don't think this is so risky. A malicious
template author could still reveal the contents of any global variable,
so I wouldn't let just anyone define the contents of $template.
If you have a fixed set of values to be replaced then it might indeed
be easier/safer to build something using the array feature of str_replace.
chris.
More information about the talk
mailing list