View previous topic :: View next topic |
Author |
Message |
Shadi Smarty Rookie
Joined: 15 Aug 2005 Posts: 5 Location: EGY
|
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Aug 23, 2005 10:15 am Post subject: Re: The Best way to hide your templates (.tpl files) |
|
|
Shadi wrote: | when the smarty read this file it wont output the <?php because the {literal} tags |
that's plain wrong.
the best way to protect your templates is to make them inaccessible from the web (read: put them out of the DocumentRoot). period. |
|
Back to top |
|
Shadi Smarty Rookie
Joined: 15 Aug 2005 Posts: 5 Location: EGY
|
|
Back to top |
|
amagondes Smarty Rookie
Joined: 18 Oct 2005 Posts: 5
|
Posted: Tue Oct 18, 2005 1:33 am Post subject: |
|
|
I agree with messju, but if you don't want to do it that way for whatever reason, this has proven to be pretty effective for me:
To hide my templates i just do something like this:
1) think of a random string
2) create a directory named the value of md5("myRandomString").
3) $smarty->template_dir = md5("myRandomString") . '/';
In my opinion, if someone wants to see your templates bad enough to figure that out, then just let em see it
Hope that helps someone out!
aj |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Oct 18, 2005 6:59 am Post subject: |
|
|
amagondes wrote: | 3) $smarty->template_dir = md5("myRandomString") . '/';
|
that's security by obscurity. i wouldn't want to make my business rely on it. |
|
Back to top |
|
amagondes Smarty Rookie
Joined: 18 Oct 2005 Posts: 5
|
Posted: Tue Oct 18, 2005 2:02 pm Post subject: |
|
|
Quote: | that's security by obscurity. i wouldn't want to make my business rely on it. |
Are you saying that is less secure than $smarty->template_dir = "templates/" or some random name like $smarty->template_dir = "563tyrfc2842a/"? or are you just saying that any template dir no matter what the name is, is a security issue unless outside the document root?
thanks
aj |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Tue Oct 18, 2005 3:21 pm Post subject: |
|
|
amagondes wrote: | Are you saying that is less secure than $smarty->template_dir = "templates/" or some random name like $smarty->template_dir = "563tyrfc2842a/"? or are you just saying that any template dir no matter what the name is, is a security issue unless outside the document root? |
The latter. Moving the directory out of doc root eliminates direct access, and nullifies the necessity for directory name obfuscation. As for security issues, direct access to template files does not impose a threat to Smarty technically, but maybe you have your own business concerns about it. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
|
Back to top |
|
amagondes Smarty Rookie
Joined: 18 Oct 2005 Posts: 5
|
Posted: Tue Oct 18, 2005 3:29 pm Post subject: |
|
|
mohrt wrote: |
The latter. Moving the directory out of doc root eliminates direct access, and nullifies the necessity for directory name obfuscation. As for security issues, direct access to template files does not impose a threat to Smarty technically, but maybe you have your own business concerns about it. |
Thanks for clearing that up, i just wanted to make sure i was not going completely brain dead |
|
Back to top |
|
synt4x Smarty Rookie
Joined: 02 Aug 2005 Posts: 14
|
Posted: Wed Oct 26, 2005 7:12 pm Post subject: |
|
|
Alternatively, you could prevent access to the files if you are stuck inside of your document root:
Put this in a '.htaccess' file inside of your templates folder
Order Allow,Deny
Deny from All |
|
Back to top |
|
sayian Smarty Rookie
Joined: 20 Aug 2005 Posts: 26
|
Posted: Wed Mar 08, 2006 2:44 am Post subject: |
|
|
Also, please note that if you ever want to disable error reporting, this method will prove trivial. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Wed Mar 08, 2006 5:41 am Post subject: |
|
|
I don't advocate this method but in fairness, you can turn off error reporting without affecting parse errors: they occur despite the error reporting level. |
|
Back to top |
|
iriePub Smarty Regular
Joined: 16 Jun 2006 Posts: 53
|
Posted: Fri Jun 16, 2006 1:42 pm Post subject: |
|
|
why not just place a .htaccess file with the following contents into the templates / compiled / cached directory:
Code: |
ordner deny allow
deny from all
|
?
edit:
synt4x wrote: | Alternatively, you could prevent access to the files if you are stuck inside of your document root:
Put this in a '.htaccess' file inside of your templates folder
Order Allow,Deny
Deny from All |
Sorry, i didn't see this before I posted it ... |
|
Back to top |
|
Jafo Smarty Rookie
Joined: 22 Aug 2005 Posts: 20
|
Posted: Mon Jul 10, 2006 5:16 pm Post subject: |
|
|
You could just put your templates in a database, making them unavailable to the web period.
If someone has access to your MySQL database, well, your already compromised so access to your templates is the least of your problems.
More info here:
http://smarty.php.net/manual/en/template.resources.php |
|
Back to top |
|
human Smarty Rookie
Joined: 21 Oct 2005 Posts: 12 Location: Helldorado
|
Posted: Tue Jul 25, 2006 8:25 am Post subject: |
|
|
synt4x wrote: | Alternatively, you could prevent access to the files if you are stuck inside of your document root:
Put this in a '.htaccess' file inside of your templates folder
Order Allow,Deny
Deny from All |
or by mod_rewrite
RewriteEngine On
RewriteRule your/path/to/templates/(.*).html / [R]
html mean your templates extension |
|
Back to top |
|
|