why not php in templates

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
craigeebach
Registered User
Posts: 5
Joined: Mon Dec 28, 2009 7:28 pm

why not php in templates

Post by craigeebach » Sun Jan 03, 2010 1:56 am

Is there any documentation explaining the reason that php is discouraged within phpbb templates? I'd like to understand the history and rationale. I'm wondering why I would want to invest in time and energy into what appears to be a proprietary phpbb template markup that is not all that well documented and not applicable outside of phpbb (let me know if I'm mistaken about this). For my project, I'd rather be able to use php directly in my template if I choose, as opposed to a roundabout template markup language which will essentially just write php for me. I don't want to turn my templates into PHP monstrosities by any means, but the idea of not allowing PHP in them seems counterintuitive and contrary to the spirit of PHP. I can decide myself how I wish to setup and pattern my MVC framework.

I realize phpbb3 allows insertion of php using this format:

Code: Select all

      <!-- PHP -->
         echo "hello!";
      <!-- ENDPHP -->
but I'm finding this odd - I'd rather just use standard php tags and not use an unusual comment syntax. If it's going to be allowed, why not just allow it, period. At this point I'm leaning towards commenting out the remove_php_tags function from functions_template.php and allowing myself to make the decision to use php directly or not from within a template. Would appreciate any perspective on this.

User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: why not php in templates

Post by onehundredandtwo » Sun Jan 03, 2010 9:38 am

For a single project, I'm sure that's fine, but the setting for PHP is disabled because the processing should be done in the script, not the template, and also so that downloading styles doesn't become a security risk.

This might be helpful: http://wiki.phpbb.com/Using_the_phpBB3. ... ate_System

lampcms.com
Registered User
Posts: 11
Joined: Sat Jan 02, 2010 10:31 pm
Location: USA
Contact:

Re: why not php in templates

Post by lampcms.com » Sun Jan 03, 2010 6:17 pm

Ideally the template should not allow any type of php. The whole idea of a template is to separate html from php so that a web designer who does not know php could edit a template and a php programmer will just concentrate of programming and dont worry about the html.

craigeebach
Registered User
Posts: 5
Joined: Mon Dec 28, 2009 7:28 pm

Re: why not php in templates

Post by craigeebach » Mon Jan 04, 2010 12:03 am

Ideally the template should not allow any type of php. The whole idea of a template is to separate html from php so that a web designer who does not know php could edit a template and a php programmer will just concentrate of programming and dont worry about the html.
OK Thanks. So it sounds analogous to java in terms of java in servlets and jsp tags in jsp pages. Except you would never be prevented from opening up a jsp tag and writing java if you wish. So I guess at this point my only gripe is that you cannot do that with phpbb without hijacking the source code. Unless there is some security issue, I may take that route for my project.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: why not php in templates

Post by Techie-Micheal » Mon Jan 04, 2010 12:26 am

craigeebach wrote:
Ideally the template should not allow any type of php. The whole idea of a template is to separate html from php so that a web designer who does not know php could edit a template and a php programmer will just concentrate of programming and dont worry about the html.
OK Thanks. So it sounds analogous to java in terms of java in servlets and jsp tags in jsp pages. Except you would never be prevented from opening up a jsp tag and writing java if you wish. So I guess at this point my only gripe is that you cannot do that with phpbb without hijacking the source code. Unless there is some security issue, I may take that route for my project.
It isn't a security issue if you are the one doing it, but like was mentioned earlier, phpBB.com cannot have templates that the public can download for free with unknown PHP in them. What better way to prevent execution of unknown PHP than to disable the ability to run PHP by default.
Proven Offensive Security Expertise. OSCP - GXPN

craigeebach
Registered User
Posts: 5
Joined: Mon Dec 28, 2009 7:28 pm

Re: why not php in templates

Post by craigeebach » Mon Jan 04, 2010 6:28 am

Right, ok thanks. Specifically I'm adding some custom pages to my board, which is a private community board for people that live in my housing complex. So I have a generic PHP MVC framework (kind of modeled after Apache Struts) that I've used for other things, and decided to apply this to my custom pages. I didn't like the idea of duplicating a lot of the standard stuff that I want to put into my custom pages (such as the includes, redirecting users that are not authenticated, etc). So my custom pages all flow through one controller page that forwards the requests to a biz logic layer. Each request has key parameter that is mapped to a handler class (there is an xml config file with all the mappings), which does the biz logic and sets up the model, which then can be used in the view (the template). The request handlers return a template page name to the controller page after processing the request, this is the name of the template (which then gets set to the "body" variable used by the phpbb template framework). The model objects are all class based items, and I want to access these in my templates. So this is why I'm enabling use of php in my templates. I think it may be too complicated to access and deal with the objects through the template markup. If php had a standard taglib like java (maybe it does, I don't know), I'd be inclined to use that.

One thing I'm realizing is that any custom pages I add are only available with the style that I add them to, which is the default my board is using. So it seems that any custom pages I add will only work for a given style, unless I copy them to all styles. It's not a problem for me since I can enforce the style for my board, but that seems like a potentially problematic limitation. I would have hoped my custom pages would go in some global location that could be applied to any style (since there is nothing style specific about these custom content pages other than assuming overall_header and overall_footer exists). Please let me know if I'm overlooking something. I've followed the basic tutorial for adding pages. http://wiki.phpbb.com/Add_custom_page

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: why not php in templates

Post by Techie-Micheal » Mon Jan 04, 2010 7:33 am

craigeebach wrote:Right, ok thanks. Specifically I'm adding some custom pages to my board, which is a private community board for people that live in my housing complex. So I have a generic PHP MVC framework (kind of modeled after Apache Struts) that I've used for other things, and decided to apply this to my custom pages. I didn't like the idea of duplicating a lot of the standard stuff that I want to put into my custom pages (such as the includes, redirecting users that are not authenticated, etc). So my custom pages all flow through one controller page that forwards the requests to a biz logic layer. Each request has key parameter that is mapped to a handler class (there is an xml config file with all the mappings), which does the biz logic and sets up the model, which then can be used in the view (the template). The request handlers return a template page name to the controller page after processing the request, this is the name of the template (which then gets set to the "body" variable used by the phpbb template framework). The model objects are all class based items, and I want to access these in my templates. So this is why I'm enabling use of php in my templates. I think it may be too complicated to access and deal with the objects through the template markup. If php had a standard taglib like java (maybe it does, I don't know), I'd be inclined to use that.
I'm not sure what you are using, but I once ported the phpBB3 template classes to Code Igniter, a PHP5 MVC framework. It worked largely the same way as phpBB. A request to a page is made, the corresponding template file is called, processed, and the page response is spit back out. Maybe I'm not understanding what you are getting at, but I don't see why it wouldn't work the same way. Which is very likely I'm not understanding, because it is late and I'm tired.
One thing I'm realizing is that any custom pages I add are only available with the style that I add them to, which is the default my board is using. So it seems that any custom pages I add will only work for a given style, unless I copy them to all styles. It's not a problem for me since I can enforce the style for my board, but that seems like a potentially problematic limitation. I would have hoped my custom pages would go in some global location that could be applied to any style (since there is nothing style specific about these custom content pages other than assuming overall_header and overall_footer exists). Please let me know if I'm overlooking something. I've followed the basic tutorial for adding pages. http://wiki.phpbb.com/Add_custom_page
Again, I'm probably not understanding you correctly. The page itself is available regardless, but it needs to have associated template file(s). Which styles you make those template file(s) available to is what gets affected.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
addaminsane
Registered User
Posts: 35
Joined: Sun Dec 17, 2006 12:43 am
Location: Kansas City Missouri
Contact:

Re: why not php in templates

Post by addaminsane » Mon Jan 04, 2010 7:56 am

I was wandering about this a while back but now it makes sense, now that i've went ahead and conquered some old habits.

craigeebach
Registered User
Posts: 5
Joined: Mon Dec 28, 2009 7:28 pm

Re: why not php in templates

Post by craigeebach » Mon Jan 04, 2010 9:09 pm

I'm not sure what you are using, but I once ported the phpBB3 template classes to Code Igniter, a PHP5 MVC framework. It worked largely the same way as phpBB. A request to a page is made, the corresponding template file is called, processed, and the page response is spit back out. Maybe I'm not understanding what you are getting at, but I don't see why it wouldn't work the same way. Which is very likely I'm not understanding, because it is late and I'm tired.
Sorry, I'm not explaining well, I'm just saying that I'm using a simple object based MVC framework to handle requests for my custom pages. This creates model objects that I access in my template pages. I want to work with the model objects in the template page, iterate over an array of Contacts for example. I think I'd rather just use PHP to do that instead of the phpbb template markup. The reason I'm using php instead is that I don't think I have enough time to learn the template markup and it isn't applicable outside of phpbb. If it were a universal php template markup, then I would probably want to learn it, or if I was developing phpbb custom templates on a frequent basis, I probaly would.

On the other point about custom pages only being valid for the current style. I'm using this tutorial: http://wiki.phpbb.com/Tutorial.Adding_pages, which contains this section on how to set your template:

Code: Select all

// Set the filename of the template you want to use for this file.
// This is the name of our template file located in /styles/<style>/templates/.
$template->set_filenames(array(
    'body' => 'my_template.html',
));
So for example I have to put my template file into prosilver_se because that is my boards style. But what if I want to change it later, or I allow my users to choose their own style. Wouldn't I have to add my template page to each possible style I have on my board? It would make more sense if the phpbb framework allowed me to put it in one place, and the template compiler would create the necessary page using the active style.

Post Reply

Return to “phpBB Discussion”