EN Template Conditionals

This is essentially a more restrictive version of my PHP in Templates plugin. The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin. Both plugins are very similar though. The differences between this and the other plugin are:

• Admins cannot enter PHP code using <?php ?> tags
  
• Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
  
• file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
  
• There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
  Example (prints 123654321):
  Kod:

  123<?=substr("987654321", 3)?>
• There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array. Examples:
  (just prints some text)
  
  Kod:

  <setvar uselesstext>"some text"</setvar>
{$tplvars['uselesstext']}
  (prints out the username of the user with UID of 2)
  
  Kod:

  <setvar user2>get_user(2)</setvar>
<func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>

v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:

• no assignment/modification operators (=, +=, |=, ++ etc) allowed
  
• no statements such as include, exit, eval etc are allowed
  
• no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
  
• backtick (`) operator not allowed
  
• heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
  
• double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
  
• array and object typecasting not allowed
  
• no variable functions or method calls allowed
  
• single line comments (//, #) not allowed
  
• only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions
  

Source: https://mybbhacks.zingaburga.com/showthread.php?tid=464

» Son Düzenleme: 12-11-2025, 07:31 PM, Düzenleyen: Hasan.
» Sebep: Dosya güncellendi

This is essentially a more restrictive version of my PHP in Templates plugin. The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin. Both plugins are very similar though. The differences between this and the other plugin are:

• Admins cannot enter PHP code using <?php ?> tags
  
• Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
  
• file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
  
• There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
  Example (prints 123654321):
  Kod:

  123<?=substr("987654321", 3)?>
• There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array. Examples:
  (just prints some text)
  
  Kod:

  <setvar uselesstext>"some text"</setvar>
{$tplvars['uselesstext']}
  (prints out the username of the user with UID of 2)
  
  Kod:

  <setvar user2>get_user(2)</setvar>
<func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>

v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:

• no assignment/modification operators (=, +=, |=, ++ etc) allowed
  
• no statements such as include, exit, eval etc are allowed
  
• no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
  
• backtick (`) operator not allowed
  
• heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
  
• double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
  
• array and object typecasting not allowed
  
• no variable functions or method calls allowed
  
• single line comments (//, #) not allowed
  
• only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions
  

Source: https://mybbhacks.zingaburga.com/showthread.php?tid=464

» Son Düzenleme: 12-11-2025, 07:31 PM, Düzenleyen: Hasan.
» Sebep: Dosya güncellendi