Webmastersite.net
Register Log In

include php file in template
recomendation request

Comments on include php file in template

peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
Posted Dec 31, 2006 - 4:54 AM:

Paul,

Refering to: scripts.webmastersite.net/w...s/PHP_in_Templates-16.html

For the case we want to include some variable switches only available for admin, this at link edition template, and in case we whant to do it via inserting a .php file in the template:

If we just insert this on the edit template:
<?php include 'adminonly_edit.php' ?>

And having the 'adminonly_edit.php' file upladed to the templates directory,
we end with a

Warning: Unknown(adminonly_edit.php): failed to open stream: No such file or directory in /user/home/server/public_html/links/commonfuncs.php(737) : eval()'d code on line 705

If we insert this on the edit template:
<?php include 'http://www.mysite.com/links/templates/modified_templates/adminonly_edit.php' ?>

We reach the 'adminonly_edit.php' correctly, but the inserted variables we need to switch are not interpreted as variable names and they are just shown as {LINKVARIABLENAME} . This for preexisting variables and also own variables.


Could you please advice me what would be your recomendation for the best way to include the file and the way to have the variables available at the template.

Thanks.
mel
Member

Usergroup: Customer
Joined: Dec 16, 2006

Total Topics: 9
Total Comments: 29
mel
Posted Dec 31, 2006 - 5:22 PM:

This is how I insert calls on normal php pages
for other sites I work on

<?php include('calls/logo.php'); ?>

This calls a logo from a directory called calls

If I leave the brackets off the calls do not work

Just a thought

Mel

Happy New Yearsmiling face
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
Posted Dec 31, 2006 - 8:40 PM:

Thanks Mel,

I have found that the file is inserted into the template specifying the path to the file without or with brackets as:

<?php include ('templates/modified_templates/adminonly_edit.php'); ?>

Now the difficulty is how to make the variables and language variables available and not them to appear as {LINKVARIABLENAME} or {MEMBERVARIABLENAME} or {LANG_VARIABLENAME} .

The manual sais that we have to declair variables as global, but I really do not understand were to declair them. I have tried declaring at the template and also at the .php file to be included, without results.

Thanks and Happy New Year too!

Paul, Happy New Year !
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Jan 02, 2007 - 11:27 AM:

I probably don't understand your usage, but wouldn't it be better to use the modifications directory? By the time you enter a template it's too late to do much of interest.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Jan 02, 2007 - 11:38 AM:

Wrote a better article here now: scripts.webmastersite.net/w...cations_Directory-369.html
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
Posted Jan 02, 2007 - 4:48 PM:

I probably don't understand your usage, ...


I would like to have variables I would be shure only admin can edit for each link as:

Assing days to expiration.
Date of Deposit1
Amount Deposited1
Number Of Deposit1
Hide/Non Hide
Type of Link

I know it can be done easily by just conditioning them as
<?php if ('{THISMEMBERISADMIN}' {?>
...
<?php } ?>

but on a simmilar situation I have found a user that has published spam and that have registered modifying hidden and admin only accesible variables.

I couldn't understand how, but after looking at:

-link

I realized why so I would like to have this admin only stuff to be inserted via .php file as
<?php if ('{THISMEMBERISADMIN}') { include 'templates/modified_templates/adminonly_edit. php'; }
?>
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Jan 03, 2007 - 1:48 PM:

It doesn't have anything to do with SQL injection. The edit link page is designed to accept whatever you feed it, it is possible to make a fake form for it to send values if you know enough about the script to know which values to send. Perhaps there could be a 'protected fields' option in the future. (Note that critical stuff like the usergroup is already protected.)

Anyhow, putting a PHP file in your template does absolutely nothing about the issue (or any other issue, since it duplicates what the script already does using a new much more complicated method).
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
Posted Jan 03, 2007 - 7:52 PM:

My idea is to have a php conditional statement that checks if the viewer is admin and inserts the sensible template part via a .php file and by the contrary if the viewer is not admin the sensible part is not inserted.

This way if the viewer is not admin the sensible template part will never appear at the source code.

If we do not insert the sensible template part via a .php file, the variables will always be viewable at the source code regardless if the viewer is admin or not. I am correct ?
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Jan 04, 2007 - 12:15 PM:

My idea is to have a php conditional statement that checks if the viewer is admin and inserts the sensible template part via a .php file and by the contrary if the viewer is not admin the sensible part is not inserted.

That is exactly what the template conditional already in the template already accomplishes, as you can easily observe with your browser's "view source" option (you can see the fields are not in the form), which is why it's utterly pointless to come up with a really complicated way to do the same thing. Having something not be in the form, however, is useless as protection if an attacker isn't using your form but has instead placed a modified version on their own site which posts the data to the url on your site. I've never seen such an attack done, but it's certainly possible.
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
#10 - Quote - Permalink
Posted Jan 06, 2007 - 3:42 AM:

Thanks for clarifying.

I understand that the only viewable variables (that we do not want to be viewable) are the type="hidden" variables. Is it a way to have the hidden variables not seen on the sourcecode (for nonadmin) ?

Also would be very nice to have your mentioned possible 'protected fields' function .
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
#11 - Quote - Permalink
Posted Jan 06, 2007 - 6:24 PM:

Once again, please use your browser's view source option. As far as I'm aware not a single admin-only option is input type="hidden", they aren't there.
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
#12 - Quote - Permalink
Posted Jan 07, 2007 - 3:55 AM:

I meant the usual type="hidden" variables, not inside an if admin conditional. I believe there's no way not them to be shown at the source code ?
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
#13 - Quote - Permalink
Posted Jan 09, 2007 - 5:19 PM:

How many "usual" ones are there? If they're giving data for a required field then they have to be there, if it's not necessary data then they can be deleted.
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



This thread is closed, so you cannot post a reply.