Help
Hello Friends,
I hired a web designer to complete some html task (for new awesome theme)
And the problem was we can't disclose, our php code of models/controller
What i had done? i created an ftp account on development machine with write permission only on view folder, from where he can edit the code,
As you know that user can run any php code and using that he can view model/controller code, to solve this issue we used a template engine named twig which is available as yii extension.
Now the security issue is that while using template engine user can read any php file by running php code inside CGridView
For example:
{{ this.widget('zii.widgets.grid.',{
......
......
'columns':[
{'name':'name', 'value':'$data->name.\'file_get_contents("filename.php")\''},
]
}, true) }}
Is there anyway to solve this issue?
Thanks in advance
Page 1 of 1
- You cannot start a new topic
-
This topic is locked
Security Issue In Yii (Templates)
Rate Topic:
#2
- Master Member
-
- Group: Members
- Posts: 702
- Joined: 23-October 10
- Location:Romania
Posted 14 January 2014 - 02:04 PM
Eval()'uated code will always behave like this.
#3
- Newbie
- Group: Members
- Posts: 5
- Joined: 04-December 13
Posted 14 January 2014 - 05:08 PM
twisted1919, on 14 January 2014 - 02:04 PM, said:
Eval()'uated code will always behave like this.
Thanks for reply,
Is there any workaround?
#4
- Advanced Member
-
- Group: Yii Dev Team
- Posts: 572
- Joined: 16-July 10
- Location:Berlin. Germany
Posted 15 January 2014 - 02:11 AM
Not for PHP. You might want your designer to sign an NDA so that he may see your code.
#5
- Standard Member
-
- Group: Members
- Posts: 243
- Joined: 09-December 12
Posted 15 January 2014 - 10:38 AM
is it ok to give the html output of each page to your designer so that he can make the css?
Afterall the designers will be working with html and scripts.
Afterall the designers will be working with html and scripts.
Share this topic:
Page 1 of 1
- You cannot start a new topic
-
This topic is locked