executable php-files in templates

Discuss PivotX 2.0.x here. Non-PivotX related discussions go in The Drain.

executable php-files in templates

Postby docman » Wed Jun 03, 2009 7:40 pm

Hi, can one include an executable php-script in a tamplate directory? I get this notice at the Dashboard:

"There's an executable file in one of the 'open' folders. You should remove this file immediately: templates/skinny/script_banner_rotator.php.
If you do not know where this file came from, please report this incident on our Forum. Please keep a back-up copy of the file for our inspection."

The way I execute it is this ina side tamplate html-file:

[[php]]include("templates/skinny/script_banner_rotator.php");[[/php]]

Many thanks for your help in advance.
docman
 
Posts: 33
Joined: Sun Apr 13, 2008 12:11 pm

Re: executable php-files in templates

Postby Kevin » Wed Jun 03, 2009 8:29 pm

I just added a banner rotator (written by Matt Mullenweg) to Lacsap.ca and overcame this problem by adding rotator.php to the pivotx/ directory. If you use it the way I have remember to edit the following line to reflect your rotator image folder location:

Default code:
Code: Select all
$folder = '';

The code I used:
Code: Select all
$folder = 'templates/digital_summer/images/header/';

In my example I was using the Digital Summer theme and created a folder called 'header' in the template images directory to store the images I wanted to use with rotator. :)

Hope that helps.
BlogThemesExtensionsDocumentation • Support PivotX - Click the Donate button today!
User avatar
Kevin
Administrator
 
Posts: 106
Joined: Tue Nov 20, 2007 9:58 pm
Location: Nova Scotia, Canada

Re: executable php-files in templates

Postby docman » Wed Jun 03, 2009 10:06 pm

Thanks, it looks like a nice solution. I will try it soon.

Thanks again.
docman
 
Posts: 33
Joined: Sun Apr 13, 2008 12:11 pm

Re: executable php-files in templates

Postby hansfn » Sat Jun 06, 2009 6:06 am

Just a comment related to

"There's an executable file in one of the 'open' folders. You should remove this file immediately: templates/skinny/script_banner_rotator.php.
If you do not know where this file came from, please report this incident on our Forum. Please keep a back-up copy of the file for our inspection."

You shouldn't ignore this. Replace the "php" extension with "inc" so other people can't run the PHP script directly.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: executable php-files in templates

Postby docman » Sat Jun 06, 2009 8:48 am

I see. But what if I want to run php-script myself, using the [[php]] tag? Whar can I store the php-script, then. Or do you mean renaming the script with the .inc extension and include it still with the [[php]]-tag?

Thanks.
docman
 
Posts: 33
Joined: Sun Apr 13, 2008 12:11 pm

Re: executable php-files in templates

Postby hansfn » Sat Jun 06, 2009 4:26 pm

Or do you mean renaming the script with the .inc extension and include it still with the [[php]]-tag?

Yes.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: executable php-files in templates

Postby Kay » Sun Oct 04, 2009 10:08 am

For some reason this tag doesn't work for me. :(

I'm using a short php script called rorb.inc to return a string to modify a class name:

Code: Select all
<?php

$random = mt_rand(1, 5);

if($random > 1) echo "_b";
else echo "_r";

?>


This should be added to the incomplete class name in entrypage_template.html, like this:

Code: Select all
<div class="lefttitle[[php]]('templates/newsite/include/rorb.inc');[[/php]]"></div><h1></h1>


When I open an entry the source doesn't show any output by the php code:

Code: Select all
<div class="lefttitle"></div><h1></h1>


allow_php_in_templates is set to 1 in the advanced administration panel.

Any idea why it doesn't work? Thanks in advance.

PS: I can post the full source for the template and a link to an example page if you need them. Just wasn't sure if it's necessary.
Kay
Contributor
 
Posts: 24
Joined: Sun Jan 11, 2009 10:48 pm

Re: executable php-files in templates

Postby hansfn » Sun Oct 04, 2009 4:36 pm

Code: Select all
[[php]]('templates/newsite/include/rorb.inc');[[/php]]

isn't correct, is it? Don't you miss "include"?

PS! It I strongly discourage using/allowingf PHP directly in the templates - write a snippet in stead.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: executable php-files in templates

Postby Kay » Sun Oct 04, 2009 4:57 pm

Thanks for the heads up. I copied the whole statement and made the necessary adjustments. No idea when the include did go missing.

I reinserted it now. Didn't fix it though.

Code: Select all
<div class="lefttitle[[php]]include('templates/newsite/include/rorb.inc');[[/php]]"></div><h1></h1>


PHP in templates shouldn't be a risk since I'm the one who writes them, right? As for snippets, I never made one. Can you easily turn the above code (which is rather short as it is) into a snippet? Using PHP directly would allow me to make quick adjustments. So if it's available I want to use it too.
Kay
Contributor
 
Posts: 24
Joined: Sun Jan 11, 2009 10:48 pm

Re: executable php-files in templates

Postby Schop » Sun Oct 04, 2009 6:54 pm

I'd like to know more about that too. Why exactly is it risky to put php files in your templates? I know this goes beyond the scope of this forum, but I'm just interested...
User avatar
Schop
Contributor
 
Posts: 485
Joined: Mon Apr 21, 2008 1:47 pm
Location: Hudson, Ohio

Next

Return to 2.x Discussion

Who is online

Users browsing this forum: No registered users and 3 guests

cron