Security Issue In Yii (Templates)

Hello Friends,

I hired a web designer to complete some html task (for new awesome theme)

And the problem was we can’t disclose, our php code of models/controller

What i had done? i created an ftp account on development machine with write permission only on view folder, from where he can edit the code,

As you know that user can run any php code and using that he can view model/controller code, to solve this issue we used a template engine named twig which is available as yii extension.

Now the security issue is that while using template engine user can read any php file by running php code inside CGridView

For example:

{{ this.widget(‘zii.widgets.grid.’,{

    'columns':[


        {'name':'name', 'value':'$data->name.\'file_get_contents("filename.php")\''},


    ]


}, true) }}

Is there anyway to solve this issue?

Thanks in advance

Eval()'uated code will always behave like this.

Thanks for reply,

Is there any workaround?

Not for PHP. You might want your designer to sign an NDA so that he may see your code.

is it ok to give the html output of each page to your designer so that he can make the css?

Afterall the designers will be working with html and scripts.