Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

The Best way to hide your templates (.tpl files)
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Tips and Tricks
View previous topic :: View next topic  
Author Message
Shadi
Smarty Rookie


Joined: 15 Aug 2005
Posts: 5
Location: EGY

PostPosted: Tue Aug 23, 2005 10:06 am    Post subject: The Best way to hide your templates (.tpl files) Reply with quote

Here is the best wat to protect your templates whatever it was Very Happy

just rename your files to .php instead of .tpl

and always add the php opening tags at the top <?php but surround it with if condition"{if $non_exists_var == 1}<?php{/if}" Wink

here is an example of hidden smarty template file
Code:

{if $non_exists_var == 1}
<?php
{/if}

<P> I'm hidden template :P </P>



when the smarty read this file it wont output the <?php because the $non_exists_var isn't assigned.

and also you can edit it with any editor as it was .tpl

and now if any one is trying to view your templates direclty, the following error will appear
Code:

Parse error: syntax error, unexpected '/' in test.php on line 3


Enjoy Wink


Last edited by Shadi on Wed May 05, 2010 10:48 pm; edited 3 times in total
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Tue Aug 23, 2005 10:15 am    Post subject: Re: The Best way to hide your templates (.tpl files) Reply with quote

Shadi wrote:
when the smarty read this file it wont output the <?php because the {literal} tags


that's plain wrong.

the best way to protect your templates is to make them inaccessible from the web (read: put them out of the DocumentRoot). period.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Shadi
Smarty Rookie


Joined: 15 Aug 2005
Posts: 5
Location: EGY

PostPosted: Tue Aug 23, 2005 10:36 am    Post subject: Reply with quote

Thanks messju , i've changed it , and its now also works Razz

Last edited by Shadi on Wed May 05, 2010 10:48 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
amagondes
Smarty Rookie


Joined: 18 Oct 2005
Posts: 5

PostPosted: Tue Oct 18, 2005 1:33 am    Post subject: Reply with quote

I agree with messju, but if you don't want to do it that way for whatever reason, this has proven to be pretty effective for me:

To hide my templates i just do something like this:

1) think of a random string

2) create a directory named the value of md5("myRandomString").

3) $smarty->template_dir = md5("myRandomString") . '/';


In my opinion, if someone wants to see your templates bad enough to figure that out, then just let em see it Wink

Hope that helps someone out!

aj
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Tue Oct 18, 2005 6:59 am    Post subject: Reply with quote

amagondes wrote:
3) $smarty->template_dir = md5("myRandomString") . '/';


that's security by obscurity. i wouldn't want to make my business rely on it.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
amagondes
Smarty Rookie


Joined: 18 Oct 2005
Posts: 5

PostPosted: Tue Oct 18, 2005 2:02 pm    Post subject: Reply with quote

Quote:
that's security by obscurity. i wouldn't want to make my business rely on it.


Are you saying that is less secure than $smarty->template_dir = "templates/" or some random name like $smarty->template_dir = "563tyrfc2842a/"? or are you just saying that any template dir no matter what the name is, is a security issue unless outside the document root?

thanks

aj
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Tue Oct 18, 2005 3:21 pm    Post subject: Reply with quote

amagondes wrote:
Are you saying that is less secure than $smarty->template_dir = "templates/" or some random name like $smarty->template_dir = "563tyrfc2842a/"? or are you just saying that any template dir no matter what the name is, is a security issue unless outside the document root?


The latter. Moving the directory out of doc root eliminates direct access, and nullifies the necessity for directory name obfuscation. As for security issues, direct access to template files does not impose a threat to Smarty technically, but maybe you have your own business concerns about it.
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Oct 18, 2005 3:27 pm    Post subject: Reply with quote

Some discussions we have over-and-over: http://www.phpinsider.com/smarty-forum/viewtopic.php?t=5475&highlight=security+template+directory
Back to top
View user's profile Send private message
amagondes
Smarty Rookie


Joined: 18 Oct 2005
Posts: 5

PostPosted: Tue Oct 18, 2005 3:29 pm    Post subject: Reply with quote

mohrt wrote:

The latter. Moving the directory out of doc root eliminates direct access, and nullifies the necessity for directory name obfuscation. As for security issues, direct access to template files does not impose a threat to Smarty technically, but maybe you have your own business concerns about it.


Thanks for clearing that up, i just wanted to make sure i was not going completely brain dead Confused
Back to top
View user's profile Send private message
synt4x
Smarty Rookie


Joined: 02 Aug 2005
Posts: 14

PostPosted: Wed Oct 26, 2005 7:12 pm    Post subject: Reply with quote

Alternatively, you could prevent access to the files if you are stuck inside of your document root:

Put this in a '.htaccess' file inside of your templates folder

Order Allow,Deny
Deny from All
Back to top
View user's profile Send private message AIM Address
sayian
Smarty Rookie


Joined: 20 Aug 2005
Posts: 26

PostPosted: Wed Mar 08, 2006 2:44 am    Post subject: Reply with quote

Also, please note that if you ever want to disable error reporting, this method will prove trivial.
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Wed Mar 08, 2006 5:41 am    Post subject: Reply with quote

I don't advocate this method but in fairness, you can turn off error reporting without affecting parse errors: they occur despite the error reporting level.
Back to top
View user's profile Send private message
iriePub
Smarty Regular


Joined: 16 Jun 2006
Posts: 53

PostPosted: Fri Jun 16, 2006 1:42 pm    Post subject: Reply with quote

why not just place a .htaccess file with the following contents into the templates / compiled / cached directory:

Code:

ordner deny allow
deny from all


?

edit:
synt4x wrote:
Alternatively, you could prevent access to the files if you are stuck inside of your document root:

Put this in a '.htaccess' file inside of your templates folder

Order Allow,Deny
Deny from All

Sorry, i didn't see this before I posted it ...
Back to top
View user's profile Send private message
Jafo
Smarty Rookie


Joined: 22 Aug 2005
Posts: 20

PostPosted: Mon Jul 10, 2006 5:16 pm    Post subject: Reply with quote

You could just put your templates in a database, making them unavailable to the web period.

If someone has access to your MySQL database, well, your already compromised so access to your templates is the least of your problems.

More info here:

http://smarty.php.net/manual/en/template.resources.php
Back to top
View user's profile Send private message
human
Smarty Rookie


Joined: 21 Oct 2005
Posts: 12
Location: Helldorado

PostPosted: Tue Jul 25, 2006 8:25 am    Post subject: Reply with quote

synt4x wrote:
Alternatively, you could prevent access to the files if you are stuck inside of your document root:

Put this in a '.htaccess' file inside of your templates folder

Order Allow,Deny
Deny from All


or by mod_rewrite

RewriteEngine On
RewriteRule your/path/to/templates/(.*).html / [R]

html mean your templates extension
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Tips and Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP