| View previous topic :: View next topic |
| Author |
Message |
m-lee
Smarty Rookie
Joined: 17 Mar 2004
Posts: 31
|
 Posted: Thu Dec 13, 2007 10:10 pm Post subject: NULL in IF statement secure mode |
 |
|
Hi,
is there any possibility how i can say that NULL is allowed in
security_settings ['IF_FUNCS'] ?
Currently im getting this error:
| Code: |
Fatal error: Smarty error: [in list.inc line 29]: syntax error: (secure mode) 'NULL' not allowed in if statement (Smarty_Compiler.class.php, line 1385) in F:\intranet\htdocs\myproject\lib\smarty\Smarty.class.php on line 1095
|
For a statement like this:
| Code: |
{if $MYARRAY[j][i].name != NULL}
|
I know i could use an other syntax but i dont want to to this due to several reasons.
One is that i have a few hundert templates using this syntax 
Also an other question:
Is there the possibility to disable {php}{/php} but allow all other things in
security_settings ? Again i have the problem of the very huge template set which make a lot of use of modifiers / funcs / constants etc.
And if i have to scan all thoose templates im gooing to be lazy.
Or any way to get all modifiers / funcs / constants used in all templates without watching them all manualy? Any idea?
Or blacklisting insteed of whitelisting.
I know this is not a good idea due to security related aspects but may be helpfull in some cases.
Thanks for your help! |
|
| Back to top |
|
m-lee
Smarty Rookie
Joined: 17 Mar 2004
Posts: 31
|
| Posted: Thu Dec 13, 2007 10:46 pm Post subject: |
|
|
Well i made a prefilter now to get rid of the
{php} tags
maybe someone else needs this too:
| Code: |
function removePHPTagsFromTemplate($tplContent, &$smarty)
{
$toReplace = array('{php}','{/php}');
$replaceWIth = array('{ldelim}php{rdelim}', '{ldelim}/php{rdelim}');
$tplContent = str_ireplace($toReplace, $replaceWIth, $tplContent);
return ($tplContent);
}
|
And then register it
| Code: |
$Smarty->register_prefilter('removePHPTagsFromTemplate');
|
But that is not the solution im happy with 
And still i cant activate security due to the NULL problem and the other reasons mentioned above.
Well i just wanted to post this prefilter. Would be nice if someone can awnser my questions from the previous thread.
Thank you and regards! |
|
| Back to top |
|
Celeb
Administrator
Joined: 17 Apr 2007
Posts: 1025
Location: Vienna
|
| Posted: Fri Dec 14, 2007 12:02 am Post subject: |
|
|
Have you tried adding 'NULL' to $security_settings['IF_FUNCS']?
After a quick glance at the Smarty_Compiler.class.php file that should do the trick. What version of Smarty do you use btw? In my version (2.6.1 that syntax error gets thrown in line 1396, not in line 1385 as it is stated in your error message.
If adding 'NULL' to the array doesn't help I guess the only way to deal with it would be a prefilter. Either the one you posted yourself to remove the {php} Tags without need for $security or some filter that rewrites all your
| Code: | | {if $variable == NULL} |
to | Code: | | {if is_empty($variable)} |
or something similar.
_________________
Darn computers always do what I tell them to instead of what I want them to do. |
|
| Back to top |
|
m-lee
Smarty Rookie
Joined: 17 Mar 2004
Posts: 31
|
| Posted: Fri Dec 14, 2007 2:08 am Post subject: |
|
|
| Celeb wrote: | Have you tried adding 'NULL' to $security_settings['IF_FUNCS']?
|
Yes i tried this without success. Even tried in constants etc.
| Celeb wrote: |
After a quick glance at the Smarty_Compiler.class.php file that should do the trick. What version of Smarty do you use btw? In my version (2.6.1 that syntax error gets thrown in line 1396, not in line 1385 as it is stated in your error message.
|
The latest i just added some not important lines.
| Celeb wrote: |
or some filter that rewrites all your
| Code: | | {if $variable == NULL} |
to | Code: | | {if is_empty($variable)} |
or something similar. |
That must be a very powerfull reg expression. I doubt this will work for all cases |
|
| Back to top |
|
Celeb
Administrator
Joined: 17 Apr 2007
Posts: 1025
Location: Vienna
|
| Posted: Fri Dec 14, 2007 2:29 am Post subject: |
|
|
Well when you already started editing Smarty files you could just add
right after
| Code: | case '*':
case '/':
case '@': |
This must be lowercase, since it gets strtolowered in the switch().
About the regex .. http://xkcd.com/208/ 
_________________
Darn computers always do what I tell them to instead of what I want them to do. |
|
| Back to top |
|
m-lee
Smarty Rookie
Joined: 17 Mar 2004
Posts: 31
|
| Posted: Fri Dec 21, 2007 6:43 pm Post subject: |
|
|
well i did not edited any kogic in the files and wont do so.
Anyhow any other ideas? Is this maybe a feature smarty is missing? |
|
| Back to top |
|
boots
Administrator
Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada
|
| Posted: Sat Dec 22, 2007 1:07 am Post subject: |
|
|
Have you tried using null (lowercase) instead of NULL? Smarty is case-sensitive and the permitted intrinsic tokens are defined in the compiler as the following literals: true, false, yes, no, on, off, null.
So the error you are getting is actually due to the fact that Smarty sees your NULL as a function name rather than seeing it as the token null that you intended. Or so I suppose
It seems to me that this is perhaps not documented well in the manual. Hmmm. |
|
| Back to top |
|
|
