[_] More PHP sql injection attacks than you can shake a stick at
Darren Beale
bealers at gmail.com
Sun Oct 8 16:57:28 BST 2006
On 10/8/06, Tom Gidden <tom at gidden.net> wrote:
> I've never used a templating system in PHP, because I just don't see
> the point: it practically *is* a templating system anyway... or at
> least, it can be used as one trivially.
I thought the same for a long while until I worked on a third party
application where the developers had given the ability to use Smarty
to skin the app via templates in a textarea that i had to work with
offline on and then paste in to apply. I had no access to plugins or
modifiers and all of Smarty's 'security' features were switched on.
The result was something where I had access to the absolute basic
Smarty logic and formatting but no ability to embed raw PHP or add
self-written PHP plugins. Whilst it was very frustrating for me as I
couldn't actually do too much I could see the rationale from a
security point of view; assuming that Smarty is secure and I've not
looked into it enough to comment on that.
D
> I've never used a templating system in PHP, because I just don't see
> the point: it practically *is* a templating system anyway... or at
> least, it can be used as one trivially.
I thought the same for a long while until I worked on a third party
application where the developers had given the ability to use Smarty
to skin the app via templates in a textarea that i had to work with
offline on and then paste in to apply. I had no access to plugins or
modifiers and all of Smarty's 'security' features were switched on.
The result was something where I had access to the absolute basic
Smarty logic and formatting but no ability to embed raw PHP or add
self-written PHP plugins. Whilst it was very frustrating for me as I
couldn't actually do too much I could see the rationale from a
security point of view; assuming that Smarty is secure and I've not
looked into it enough to comment on that.
D