How to add php code in a page ?

[david7594]

Hello ! I would like to add php code in a page but i don't know how to do...
Thank you for your help

[Nullig]

The easiest way is with a User Defined Tag (UDT).

Nullig

[cyberman]

Another way is to set

Code: Select all

$config['use_smarty_php_tags'] = false;

in config.php to true so you can mask it in a page via {php}source{/php}. But it's risky if you have more than one user/admin ...

[tractorboy]

I use a user-defined tag called extfiles whose content is one line :

include($params['filename']);

and is called like this :

{incfile filename='dynamic.php'}


Steve

[cyberman]

Hi Steve,

nice solution too - will add this to wiki.

I use a user-defined tag called extfiles

...

and is called like this :

{incfile filename='dynamic.php'}

Think it must be

Code: Select all

{extfile filename='dynamic.php'}

[RonnyK]

Cyberman,

extfiles neq extfile. UDT without the ending "s", as it calls a single file, {extfile....}

Ronny

[cyberman]

Thanks Ronny - you were right.

[cyberman]

nice solution too - will add this to wiki.

It's done

http://wiki.cmsmadesimple.org/index.php/FAQ/Add_PHP

[Pierre M.]

Hello,

for security conscious webmasters, I think Nullig's UDT solution is the best : the executed PHP code in known in advance and maintained by its owner.

In others cases, the pointed PHP code may change (php file upload or overwrite) without the admin allowing it knowing. Don't allow "use_smarty_php_tags" {php}source{/php} unless you understand what you are doing and you have hardened your PHP infrastructure.

Pierre M.

[RonnyK]

Pierre,

which UDT of Nullig are you referring to. I didn't find one so quickly

Ronny

[Pierre M.]

Not Nullig's UDT. It's "Nullig's UDT solution" rather than "use_smarty_php_tags on" solution. If the code in maintained in a known UDT, it is more secure than if it came from an unmonitored file or content.

Pierre M.

[RonnyK]

Why is that one better than the one tractorboy mentioned. Or are you in general referring to a call through UDT?

Ronny

[Pierre M.]

I'm not a PHP security expert, but comparing the two, I think the code in the included file may be less monitored than the code in a UDT (whose changes are logged). And the UDT in in the database. The included file may be more easyly overwritten.

I just wanted to stress that people who wide open their systems with "use_smarty_php_tags" must know what they are doing.

Pierre M.

[tractorboy]

nice solution too - will add this to wiki.

It's done

http://wiki.cmsmadesimple.org/index.php/FAQ/Add_PHP

Flattered !

Where security is a concern the UDT could be improved so that it only includes files from a directory that is not accessble to the web server, so that the files cannot be overwritten by upload exploits.  I guess you'd also need to parse the parameter to make sure it's just a file name with no path.

[cyberman]

Thanks for your note - added this.