Thread

Hey everyone,

I am just curious what type of security hacks can happen with php enabled in templates. I am not trying to hack an EE site, I am just curious about the types of attacks that can happen with php enabled.

thanks,

Adam

Well, the issue is mainly this: if you allow non-superadmins to edit a template with PHP enabled, they could easily do things that you wouldn’t want them to do, just by using PHP. If your trust you users, this is not much of an issue. But still, a line of PHP would allow them to access the whole database, modify anything in there, from posting a new article to make themselves or other users superadmins.

Moved to General.

so if I do not allow anyone but myself to edit templates, then it’s relatively safe to allow php in the templates, correct? That is assuming that the php code itself is safe.

Yes, it is. If you do not share template access with anyone, and your code itself is safe, I see no additional risk in allowing PHP.

ok thanks Imgmar

It seems to me that even if you didn’t have PHP enabled… giving users access to the templates is simply a recipe for disaster. Why would you give anyone you didn’t fully trust access to templates?  That wouldn’t make any sense.

I can envision a couple of scenarious where that would make perfect sense. Let a department be in charge of their subsite, eg, including full control over the template, but not the whole companz website. Or ... Lots of possibilities.

It seems to me that even if you didn’t have PHP enabled… giving users access to the templates is simply a recipe for disaster. Why would you give anyone you didn’t fully trust access to templates?  That wouldn’t make any sense.

You could always just as easily restrict access to the most important templates: navigation, footer, sidebar, etc.
And allow them access to their own content templates. Carefully using embeds, you can grant them easy access to edit what they need to edit, without breaking. As long as they follow your instructions, right?!
😊