安全问题将php写入文件

I'm creating code that allows me to create a libary of templates from the backend of my CMS website. I create them in a textarea and then write them to a database.

I then get a text string from a database and then save it to a file people.php.

            $text='<?php echo\'<div class="tileContainer three_across_homePage">
              <div class="tileBox three_across_box_0_homePage">
                <div class="tileModule three_across_module_0_homePage">
                <a href="\'.$holder[0].\'"><img src="\'.$holder[1].\'" alt="\'.$holder[2].\'" />
                  <div class="centeredHomePage">
                    \'.$holder[2].\'
                    <p>&nbsp;</p>
                    </a> </div>
                </div>
              </div>\';';

            $file = 'people.php';
            $current = file_get_contents($file);
            $current = $text;
            file_put_contents($file, $current);

I then include this file in subsequent code which creates and uses the $holder array to fill in the place holders $holder[0], $holder[1] etc

The text string is written to the database from the admin area of a CMS.

The other obvious way to do this would be eval but that would be a big security risk.

So I'm wondering if the security risk is still too big and I should just write php files that are stored on the server directly. However the trouble with this approach is how to update multiple site that are using the templates.

thanks

doukai1226
doukai1226 我想我可以做占位符然后更改它们的变量,这将允许我为字符串做一个文本文件。我会试试的
一年多之前 回复
dongxin5054
dongxin5054 允许PHP应用程序在Web根目录中创建PHP文件肯定存在安全风险。如果您正在创建模板-可能是HTML和CSS,也许是一些JS,那么为什么必须创建PHP文件?编写HTML代码段并让PHP代码加载HTML并将参数合并到其中有什么问题?
一年多之前 回复
duanmaduan1848
duanmaduan1848 维护开销确实超过了这里的安全问题。要么预先填充值并存储为html,要么使用任何简单的模板引擎。
一年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐