[thelist] PHP template code security sufficient?
Ken Snyder
ksnyder at coremr.com
Tue May 15 17:00:18 CDT 2007
P Chen wrote:
> I was reading an old tutorial on A List Apart regarding building a PHP
> template based site using the following code to insert page-specific
> content, but wasn't sure if this was sufficient in terms of security. I
> don't know much about php security, so I'm hoping someone can shed light on
> this piece of code, what it's vulnerable to, etc...
>
> http://alistapart.com/articles/phpcms/
>
> <div class="body">
> <?php @ require_once ("$page.html"); ?>
> </div>
>
> Thanks,
> Peter
>
>
The article appears to assume that the developer has complete control
over all the templates. If "$page.html" could potentially contain
malicious php scripts, they would be executed. To allow user-submitted
tempates, you need to have some sort of class or templating engine (i.e.
Smarty) that parses or compiles the templates.
If you are not using user templates, the require_once() construct is not
any more or less secure than putting the template content right in the
main document.
The most common security problems in PHP relate to the use of
superglobals, to inadequate protection from sql injection, and to
failing to parse user input in general. (See google:
http://www.google.com/search?q=php+security)
--Ken Snyder
More information about the thelist
mailing list