For the case we want to include some variable switches only available for admin, this at link edition template, and in case we whant to do it via inserting a .php file in the template:
If we just insert this on the edit template: <?php include 'adminonly_edit.php' ?>
And having the 'adminonly_edit.php' file upladed to the templates directory, we end with a
Warning: Unknown(adminonly_edit.php): failed to open stream: No such file or directory in /user/home/server/public_html/links/commonfuncs.php(737) : eval()'d code on line 705
If we insert this on the edit template: <?php include 'http://www.mysite.com/links/templates/modified_templates/adminonly_edit.php' ?>
We reach the 'adminonly_edit.php' correctly, but the inserted variables we need to switch are not interpreted as variable names and they are just shown as {LINKVARIABLENAME} . This for preexisting variables and also own variables.
Could you please advice me what would be your recomendation for the best way to include the file and the way to have the variables available at the template.
I have found that the file is inserted into the template specifying the path to the file without or with brackets as:
<?php include ('templates/modified_templates/adminonly_edit.php'); ?>
Now the difficulty is how to make the variables and language variables available and not them to appear as {LINKVARIABLENAME} or {MEMBERVARIABLENAME} or {LANG_VARIABLENAME} .
The manual sais that we have to declair variables as global, but I really do not understand were to declair them. I have tried declaring at the template and also at the .php file to be included, without results.
I probably don't understand your usage, but wouldn't it be better to use the modifications directory? By the time you enter a template it's too late to do much of interest.
I would like to have variables I would be shure only admin can edit for each link as:
Assing days to expiration. Date of Deposit1 Amount Deposited1 Number Of Deposit1 Hide/Non Hide Type of Link
I know it can be done easily by just conditioning them as <?php if ('{THISMEMBERISADMIN}' {?> ... <?php } ?>
but on a simmilar situation I have found a user that has published spam and that have registered modifying hidden and admin only accesible variables.
I couldn't understand how, but after looking at:
-link
I realized why so I would like to have this admin only stuff to be inserted via .php file as <?php if ('{THISMEMBERISADMIN}') { include 'templates/modified_templates/adminonly_edit. php'; } ?>
It doesn't have anything to do with SQL injection. The edit link page is designed to accept whatever you feed it, it is possible to make a fake form for it to send values if you know enough about the script to know which values to send. Perhaps there could be a 'protected fields' option in the future. (Note that critical stuff like the usergroup is already protected.)
Anyhow, putting a PHP file in your template does absolutely nothing about the issue (or any other issue, since it duplicates what the script already does using a new much more complicated method).
My idea is to have a php conditional statement that checks if the viewer is admin and inserts the sensible template part via a .php file and by the contrary if the viewer is not admin the sensible part is not inserted.
This way if the viewer is not admin the sensible template part will never appear at the source code.
If we do not insert the sensible template part via a .php file, the variables will always be viewable at the source code regardless if the viewer is admin or not. I am correct ?
My idea is to have a php conditional statement that checks if the viewer is admin and inserts the sensible template part via a .php file and by the contrary if the viewer is not admin the sensible part is not inserted.
That is exactly what the template conditional already in the template already accomplishes, as you can easily observe with your browser's "view source" option (you can see the fields are not in the form), which is why it's utterly pointless to come up with a really complicated way to do the same thing. Having something not be in the form, however, is useless as protection if an attacker isn't using your form but has instead placed a modified version on their own site which posts the data to the url on your site. I've never seen such an attack done, but it's certainly possible.
I understand that the only viewable variables (that we do not want to be viewable) are the type="hidden" variables. Is it a way to have the hidden variables not seen on the sourcecode (for nonadmin) ?
Also would be very nice to have your mentioned possible 'protected fields' function .
Once again, please use your browser's view source option. As far as I'm aware not a single admin-only option is input type="hidden", they aren't there.
How many "usual" ones are there? If they're giving data for a required field then they have to be there, if it's not necessary data then they can be deleted.
0/5
1
2
3
4
5
This thread is closed, so you cannot post a reply.
Comments on include php file in template
Forum Regular
Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile
Total Topics: 172
Total Comments: 462
Paul,
Refering to: scripts.webmastersite.net/w...s/PHP_in_Templates-16.html
For the case we want to include some variable switches only available for admin, this at link edition template, and in case we whant to do it via inserting a .php file in the template:
If we just insert this on the edit template:
<?php include 'adminonly_edit.php' ?>
And having the 'adminonly_edit.php' file upladed to the templates directory,
we end with a
Warning: Unknown(adminonly_edit.php): failed to open stream: No such file or directory in /user/home/server/public_html/links/commonfuncs.php(737) : eval()'d code on line 705
If we insert this on the edit template:
<?php include 'http://www.mysite.com/links/templates/modified_templates/adminonly_edit.php' ?>
We reach the 'adminonly_edit.php' correctly, but the inserted variables we need to switch are not interpreted as variable names and they are just shown as {LINKVARIABLENAME} . This for preexisting variables and also own variables.
Could you please advice me what would be your recomendation for the best way to include the file and the way to have the variables available at the template.
Thanks.
Member
Usergroup: Customer
Joined: Dec 16, 2006
Total Topics: 9
Total Comments: 29
This is how I insert calls on normal php pages
for other sites I work on
<?php include('calls/logo.php'); ?>
This calls a logo from a directory called calls
If I leave the brackets off the calls do not work
Just a thought
Mel
Happy New Year
Forum Regular
Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile
Total Topics: 172
Total Comments: 462
Thanks Mel,
I have found that the file is inserted into the template specifying the path to the file without or with brackets as:
<?php include ('templates/modified_templates/adminonly_edit.php'); ?>
Now the difficulty is how to make the variables and language variables available and not them to appear as {LINKVARIABLENAME} or {MEMBERVARIABLENAME} or {LANG_VARIABLENAME} .
The manual sais that we have to declair variables as global, but I really do not understand were to declair them. I have tried declaring at the template and also at the .php file to be included, without results.
Thanks and Happy New Year too!
Paul, Happy New Year !
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
I probably don't understand your usage, but wouldn't it be better to use the modifications directory? By the time you enter a template it's too late to do much of interest.
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
Wrote a better article here now: scripts.webmastersite.net/w...cations_Directory-369.html
Forum Regular
Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile
Total Topics: 172
Total Comments: 462
I would like to have variables I would be shure only admin can edit for each link as:
Assing days to expiration.
Date of Deposit1
Amount Deposited1
Number Of Deposit1
Hide/Non Hide
Type of Link
I know it can be done easily by just conditioning them as
<?php if ('{THISMEMBERISADMIN}' {?>
...
<?php } ?>
but on a simmilar situation I have found a user that has published spam and that have registered modifying hidden and admin only accesible variables.
I couldn't understand how, but after looking at:
-link
I realized why so I would like to have this admin only stuff to be inserted via .php file as
<?php if ('{THISMEMBERISADMIN}') { include 'templates/modified_templates/adminonly_edit. php'; }
?>
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
It doesn't have anything to do with SQL injection. The edit link page is designed to accept whatever you feed it, it is possible to make a fake form for it to send values if you know enough about the script to know which values to send. Perhaps there could be a 'protected fields' option in the future. (Note that critical stuff like the usergroup is already protected.)
Anyhow, putting a PHP file in your template does absolutely nothing about the issue (or any other issue, since it duplicates what the script already does using a new much more complicated method).
Forum Regular
Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile
Total Topics: 172
Total Comments: 462
My idea is to have a php conditional statement that checks if the viewer is admin and inserts the sensible template part via a .php file and by the contrary if the viewer is not admin the sensible part is not inserted.
This way if the viewer is not admin the sensible template part will never appear at the source code.
If we do not insert the sensible template part via a .php file, the variables will always be viewable at the source code regardless if the viewer is admin or not. I am correct ?
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
My idea is to have a php conditional statement that checks if the viewer is admin and inserts the sensible template part via a .php file and by the contrary if the viewer is not admin the sensible part is not inserted.
That is exactly what the template conditional already in the template already accomplishes, as you can easily observe with your browser's "view source" option (you can see the fields are not in the form), which is why it's utterly pointless to come up with a really complicated way to do the same thing. Having something not be in the form, however, is useless as protection if an attacker isn't using your form but has instead placed a modified version on their own site which posts the data to the url on your site. I've never seen such an attack done, but it's certainly possible.
Forum Regular
Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile
Total Topics: 172
Total Comments: 462
Thanks for clarifying.
I understand that the only viewable variables (that we do not want to be viewable) are the type="hidden" variables. Is it a way to have the hidden variables not seen on the sourcecode (for nonadmin) ?
Also would be very nice to have your mentioned possible 'protected fields' function .
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
Once again, please use your browser's view source option. As far as I'm aware not a single admin-only option is input type="hidden", they aren't there.
Forum Regular
Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile
Total Topics: 172
Total Comments: 462
I meant the usual type="hidden" variables, not inside an if admin conditional. I believe there's no way not them to be shown at the source code ?
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
How many "usual" ones are there? If they're giving data for a required field then they have to be there, if it's not necessary data then they can be deleted.