executable php-files in templates

Discuss PivotX 2.0.x here. Non-PivotX related discussions go in The Drain.

Re: executable php-files in templates

Postby Kay » Sun Oct 04, 2009 7:35 pm

Made it into a snippet. Took me over an hour. A real pity that the php tag doesn't work, would have saved me a lot of time.

It works now, but the validation of the admin panel form doesn't produce the error I want. Minor issue, I don't care really, but maybe someone can check please?

Code: Select all
    $form->add( array(
        'type' => 'text',
        'name' => 'ooo',
        'label' => "Chance",
        'value' => '5',
        'error' => 'Numbers greater than 1 please!',
        'text' => "Chances for red leaf are 1 : X. Enter X.",
        'size' => 8,
        'isrequired' => 1,
        'validation' => 'integer|min=2|max=any'
    ));


The whole snippet, in case someone is interested:

Code: Select all
<?php

// - Extension: RORB snippet
// - Version: 1.0
// - Author: Kay Hermann
// - Email: KayHermann@gmx.net
// - Site: http://www.kay-hermann.de
// - Updatecheck: n/a
// - Description: 1 : X template class randomizer
// - Date: 2009-10-04
// - Identifier: rorb


global $chance;

$rorb_config = array(
   'rorb_folder'   => "rorb",
   'ooo'   => 5
);

/**
 * Adds the hook for rorbAdmin()
 *
 * @see rorbAdmin()
 */
$this->addHook(
    'configuration_add',
    'rorb',
    array("rorbAdmin", "rorb")
);

/**
 * Adds the hook for the actual widget. We just use the same
 * as the snippet, in this case.
 */
$this->addHook(
    'widget',
    'rorb',
    "smarty_rorb"
);

// Register 'rorb' as a smarty tag.
$PIVOTX['template']->register_function('rorb', 'smarty_rorb');

function smarty_rorb($params, &$smarty) {

global $PIVOTX, $chance;

$ooo = get_default($PIVOTX['config']->get('ooo'), $rorb_config['ooo']);
 
$random = mt_rand(1, $ooo);

if($random > 1) $output = "_b";
else $output = "_r";

return $output;
}

function rorbAdmin(&$form_html) {
    global $PIVOTX, $chance;
 
   $form = $PIVOTX['extensions']->getAdminForm('rorb');

    $form->add( array(
        'type' => 'text',
        'name' => 'ooo',
        'label' => "Chance",
        'value' => '5',
        'error' => 'Numbers greater than 1 please!',
        'text' => "Chances for red leaf are 1 : X. Enter X.",
        'size' => 8,
        'isrequired' => 1,
        'validation' => 'integer|min=2|max=any'
    ));
   
    /**
     * Add the form to our (referenced) $form_html. Make sure you use the same key
     * as the first parameter to $PIVOTX['extensions']->getAdminForm
     */
    $form_html['rorb'] = $PIVOTX['extensions']->getAdminFormHtml($form, $chance);

}

?>
Kay
Contributor
 
Posts: 24
Joined: Sun Jan 11, 2009 10:48 pm

Re: executable php-files in templates

Postby hansfn » Mon Oct 05, 2009 6:14 am

Just some comments:

1) I just tested with
Code: Select all
[[php]]include('templates/echo.inc');[[/php]]

where echo.inc contained a simple echo statement, and it worked without problems. Maybe there is a bug in your version of PivotX. Please try a newer one - see the Any plans for a bug fix release? forum thread.

2) Yes, the documentation for writing snippets is missing, but an hour? You didn't need any of the admin stuff - you had hardcoded "5" in your original PHP code anyway.

3) Allowing PHP in templates is discouraged in general because it opens doors to many problems. (Just look at all the security issues related to Wordpress templates.) Forcing people to write extensions/snippets raises the bar some ... and enables reuse.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: executable php-files in templates

Postby Kay » Mon Oct 05, 2009 7:07 am

I basically copied more and more parts of snippets I found and added it to my code. When you don't know what is missing that causes the code to not work that's like the only thing to do. My understanding of php is very basic and I don't programm regularly so I don't easily see what causes a bug. In the end it was a missing global statement. I thought making a variable global at the start of the file would make it available in the functions as well.

Anyway if you had pointed me to the bug fix thread right away (installing the newest version on the front page was like the first thing I did and apparently it had worked in earlier versions) that would maybe have saved me time. And I tried all kind of things, using .php instead of .inc (I was doing that at first, actually), ' instead of ", putting the php file in different places and so on.

The admin panel is actually usefull for me as I can now adjust the chance of red leaves appearing directly in the pivotx software without making changes to the snippet. If something made writing the snippet worthwhile it was definitely the admin panel.

As for security, I understand that writing sloppy code might compromise the security of your site but one can write sloppy code in snippets as well. It just means it takes more time. The basic code is the same it's just lots of stuff built around it. That doesn't make it more secure. And I doubt a random function that conditionally calls echo statements could be a security problem anyway.

Since you mentioned Wordpress I tried that one out as well. I'm using Pivot for the flat database, on another site where I still had sql available I tried Wordpress. Actually I found that one too severly restricts my use of html even, not to speak of php. I prefer Pivot overall but I'd prefer more options to insert php directly into the entries in both Pivotx and Wordpress. Templates too, of course. Just not the comments, obviously.
Kay
Contributor
 
Posts: 24
Joined: Sun Jan 11, 2009 10:48 pm

Re: executable php-files in templates

Postby hansfn » Mon Oct 05, 2009 8:20 am

If you had pasted valid PHP code in the forum post, I would have thought the problem was PivotX immediately and I would have told you to try the latest in stead of wasting my time writing about missing "inlucde". OK?

No, forcing people to write snippets don't make people write more secure code. However, forcing people to write snippets, can stop the most clueless from even trying ...

PS! As far as I remember you can indeed write PHP in your posts when you have enabled PHP in your templates. (I guess we really should have had another setting "allow_php_in_posts" to control that.)
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: executable php-files in templates

Postby Kay » Mon Oct 05, 2009 8:31 am

The PHP is valid, I tried it on my root, worked fine. The [[php]] tag code I posted was wrong but I tried it with the include as well, my first try was definitely with the complete statement. As I said I tried all possibilities. The one I posted was just the last attempt. And even with readding the include it didn't work.

I'm not saying you did anything wrong. I'm just saying you did not act in my best interest. Which is fine. I hope it's fine with you that I still am open about my evaluation of the situation. Pivotx is a very useful tool and I don't expect it to be perfect because everyone has different needs. Easy customisability definitely helps meeting my needs. And so I'm a bit disappointed if a feature that's supposed to be there doesn't work for me.
Kay
Contributor
 
Posts: 24
Joined: Sun Jan 11, 2009 10:48 pm

Re: executable php-files in templates

Postby hansfn » Tue Oct 06, 2009 10:48 am

Code: Select all
The [[php]] tag code I posted was wrong

Exactly. I didn't mean the PHP code that you tried to include. Sorry about the confusion.

Code: Select all
I'm just saying you did not act in my best interest

Please, give me a break. I tried to help you - I just didn't remember that there was a problem in version 2.0.0 with this, and hence tried to find an error in your template code.

In your best interest, I will not help you any more.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Previous

Return to 2.x Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

cron