[thelist] PHP template code security sufficient?

Ken Snyder ksnyder at coremr.com
Tue May 15 17:00:18 CDT 2007

P Chen wrote:
> I was reading an old tutorial on A List Apart regarding building a PHP
> template based site using the following code to insert page-specific
> content, but wasn't sure if this was sufficient in terms of security. I
> don't know much about php security, so I'm hoping someone can shed light on
> this piece of code, what it's vulnerable to, etc...
> http://alistapart.com/articles/phpcms/
> <div class="body">
> <?php @ require_once ("$page.html"); ?>
> </div>
> Thanks,
> Peter
The article appears to assume that the developer has complete control 
over all the templates.  If "$page.html" could potentially contain 
malicious php scripts, they would be executed.  To allow user-submitted 
tempates, you need to have some sort of class or templating engine (i.e. 
Smarty) that parses or compiles the templates.

If you are not using user templates, the require_once() construct is not 
any more or less secure than putting the template content right in the 
main document.

The most common security problems in PHP relate to the use of 
superglobals, to inadequate protection from sql injection, and to 
failing to parse user input in general.  (See google: 

--Ken Snyder

More information about the thelist mailing list