Document directory
- What is the same version engine?
- Operating principle of the same version Engine
- Some concepts of using smarty
- Security Intelligence smarty
- Program Information setting
- The first small program to use smarty Networks
- How to arrange your program architecture
- How to Use Change Data
- Repair your changes
- Duplicate Region
- Presentation of nest metadata
- Information in the metadata
- Determines whether the content is displayed.
- External content
Smarty inbound traffic
This is an article I wrote a year ago. It was previously posted on a friend's site: [PHP 5 knowledge and exchange center].
However, because there are some small condentions on the internal content, this time I put it back to my blog.
Preface
When I started the PHP design program that was connected to the same version of the engine, I thought it was very difficult to hear the smarty. In fact, this is not an exception, and I dare not touch it. However, when analyzing the xoops program architecture, it was discovered that smarty was not actually used. As long as the smarty-based functions are completed, it is quite appropriate to use them in general. Of course, you don't have to worry about the future development and application.
This update mainly adds some conceptual things, and of course there are some progressive skills. However, these may have gone deep into your program. If there are better features, you may also be welcomed to try again. The program architecture in this article is not the best practice. However, if you learn how to use smarty, you can use this method as the basis first.
Jaceju @ gmail 2005/03/12
What kind of engine does smarty introduce?
I don't know when to start. Some people started to feel less interested in embedding server scripts in HTML. However, in terms of the ASP of microservices or the PHP of the open source library, they are all written on the internal server script website servo side. As a result, some people think that if the program can be scaled (or the operator's industrial application was scaled) and the website was shown (layout, will it be better than others?
In fact, this issue has existed for a long time. When starting from an interactive website, no matter whether ASP or PHP users are both personal and program developers and visual design engineers. However, these users are usually either programmers or artists. If the two users need to be concurrently connected at the same time, they will have to die a lot...
So the same version of the engine is born! The purpose of the engine version is to merge the above mentioned features. It allows programmers to inject data into control or functional components, while design patterns can be embedded in web layout, make the website more professional! Therefore, the same version of the engine is very suitable for the company's website development and usage, so that everyone can develop their growth!
In terms of the same version of the engine that the publisher has received, the information is roughly divided: you need to match the same version engine of the program processing and the same version engine that is completely determined by the same version.
In the same version engine that needs to be configured with the program processing, the program developer must register the current version of the variable, that is to say, he must handle the content of the change before the release to the same version, in order to do assign work. In other words, the program developers still need to write more programs to determine the appearance of changes. The same version engine, which is independently determined by the same version, allows the variable numbers to be directly added to the same version, make sure that the designer determines how the change data is presented at the time of the design. As a result, it may have another set of similar programming methods (such as smarty) to facilitate control of the presentation of changes. However, it seems that design engineers also have to learn how to use the same version of statement.
Operating principle of the same version Engine
First, let's take a look at the following operations:
Generally, the same version engine (such as phplib) is used to obtain the same version to be parsed when the same version object is created. Then, after the changes are included, the engine passes through parse () this method is used to parse the form, and then publish the website.
For smarty users, there is no need for parse actions in the program. These smarty actions will help us. In addition, if there is no change in the current version of the website, Smarty will automatically jump to the dynamic version of the website, you can directly upload your website to save your time.
Some concepts of using smarty
In the general engine version, we often see the concept of the region, which will grow like this:
<! -- Start: block name --> zone content <! -- End: block name -->
Most of these regions will use if or for in the PHP program. While, they will control their presentation statistics. Although the version seems to be much larger, however, as long as the rendering method is different, the PHP program should be modified again!
In smarty, all changes are dominated by data, and all current versions are controlled by the same version. Because smarty has its own statement, whether it is a region indication or a duplicate, it uses the method of smarty's statement (if, foreach, section) appears with the change data content. In this way, it seems that the version has become a bit difficult, but the good thing is that as long as the specification is correct, the PHP program does not need to be changed.
From the above description, we can know that using smarty requires a good understanding of the principle: displaying the Program Application token and the website clearly. That is to say, PHP programs should not have too many HTML scripts. In the program, you only need to determine the changes to the same version, so that the same version determines how to present these changes (or even not present them ).
Smarty's key component security smarty
First, let's determine where the program is placed.
- In Windows, it may look like this: "D: \ appserv \ WEB \ demo \」.
- In Linux, it may look like this: "/home/jaceju/public_html /」.
Next, create a library under the program's primary resource. This is where we use the smarty kit.
Then we went to the official site of smarty to download the latest smarty kit: http://smarty.php.net.
After smarty 2.6.0 is released, we will see many cases, including a libs resource. In libs, there should be 3 class. php labels + 1 Debug. TPL + 1 plugin resource + 1 core resource. Then, you can directly copy the libs repository to the library created by the zookeeper and rename it smarty. That's the case? No! This security law is relatively simple, and usually does not have its own host user.
In the official smarty manual, why should we introduce some security protection methods that are more secure than others? Basically, according to the official method, the host can be only installed once and then directly referenced when different programs are developed by all the programmers on the host, it will not re-install too many smarty scripts. The method provided by the author is used by the developers who want to bring the program over and move the program, in this case, you do not need to renew the host to have the security protection smarty.
Program Information setting
For example, if the attacker runs appserv on Windows, the program's primary resource is D: \ appserv \ WEB \ demo \」. After setting up smarty, we will establish such information under the primary resource:
In Linux, remember to change the templates_c permission to 777. In Windows, the unique feature is canceled.
The first small program to use smarty Networks
We first set the path of smarty. Please name the following example as main. php and place it under the primary resource:
Main. php
<?phpinclude "library/Smarty/Smarty.class.php";define('APP_PATH', str_replace('\\', '/', dirname(__FILE__)));$tpl = new Smarty();$tpl->template_dir = APP_PATH . "/templates/";$tpl->compile_dir = APP_PATH . "/templates_c/";$tpl->config_dir = APP_PATH . "/configs/";$tpl->cache_dir = APP_PATH . "/cache/";?>
As set above, if the program is to be transplanted to other places, you only need to change the app_path. (Here is the xoops test)
After the similar version of smarty is set, the program will follow this path to capture the corresponding positions of all the similar versions (In the example, It is 'd: /appserv/web/demo/templates /'). Then we use the "Display ()" method to demonstrate our version.
Next, we place a test.htm under the templates Resource: (the sub-account name has nothing to do, but I think the design is developed, both are. htm as the main node .)
Templates/test.htm
Now we want to display the above version, and make the web titles ($ title) and content ($ content) more dynamic, name the following content as test. PHP:
Test. php
<? Phprequire "Main. PHP "; $ TPL-> assign (" title "," "); $ TPL-> assign (" content ", "website content used by zookeeper "); // you can also use this line to replace the above two rows. // $ TPL-> assign (Array ("title" => "", "content" => ""); $ TPL-> display('test.htm');?>
Open the timer and paste http: // localhost/demo/test. PHP website view (depending on your website), you should see the following pages:
Next to templates_c, we will see a strange attack:
2017100006b00006b200006b2bf9a300000000test.htm. php
<?php /* Smarty version 2.6.14, created on 2007-08-11 14:10:33compiled from test.htm */ ?>
No. This is the case that smarty has been used. It converts our changes in the same version into the PHP programming method. Next time we get the same content, smarty will directly capture this attack case.
Finally, let's sort out the entire smarty program's preparation steps:
Smarty engine.
Create a smarty object.
Set the number of smarty objects.
After processing the changes in the program, use the smarty Assign Method to place the changes in the same version.
Use the display method of smarty to show the network.
How to arrange your program architecture In addition to the information required by smarty (library, templates, and templates_c), we can see two types of information: configs and modules. In fact, this is created by the attacker by imitating the xoops architecture, because xoops is the program that the hacker receives, A few stand programs that use the smarty engine. There are no 1% records of xoops in the program architecture, but at least xoops is available.
Configs resources are generally used to store the preset settings. You can also use the config settings used by smarty.
Modules is used to place the program model. In this way, the program cannot be used as a whole.
We also mentioned main. PHP, which is the main core of the entire program, regardless of the definition of constant data, external program injection, and creation of shared variable data, all started here. Therefore, all subsequent models can be included in this case. Therefore, during the program process planning period, you must think carefully about main. PHP should put those things in place. Of course, it is better to use the include or require command to clearly split each shard.
Step 5 of the smarty program mentioned in the previous step, Main. PHP will help us prepare the first three steps first, and the subsequent modular program only needs to complete the last two steps.
How to Use Change Data from the beginning From the example in the previous chapter, we can clearly see that we use the {And} indicators to change the number of packages, this is the identifier of the smarty folder. The Change Data naming method is the same as the change data naming method in PHP. There is also a $ character (which is different from the general engine ). The identifier is a bit like in PHP. <? PHP and?> (In fact, most of their parsing processes will be replaced with this identifier), so the following variant data method is feasible:
The General compile method:
{$var}
There is a gap between the change and the change:
{ $var }
The initial and end indicators are not in the same line
{$var }
Keywords: Sometimes the relationship between the Chinese Character Library and JavaScript is different from that between $ left_delimiter and $ right_delimiter, to cancel the indicator.
In smarty, the change data is set to global, that is, you only need to specify one time. If you specify more than two times, the data content will be subject to the last value specified. Even if we have released an external sub-version in the primary version, the same changes in the sub-version will also be replaced, in this way, we do not need to parse the sub-version again.
If the information you want to display has been placed in a batch column, do you want to export the changes and then perform assign operations? Actually, this is not required! We can directly add the role column assign to an object of the same version, as shown below:
<?php$this_user = array("fullname" => "Jace Ju", "phone" => "012345678", "email" => "jaceju@seed.net.tw");$tpl->assign("this_user", $this_user);?>
Then use the following in the same version:
{$this_user.fullname}{$this_user.phone}{$this_user.email}
In this way, you don't need to split the signature column into tokens, and there won't be a lot of assigns in the PHP program.
In addition, we can also add the "object" assign to smarty, for example:
<?php$obj = new SomeObject();$tpl->assign("obj", $obj);?>
In the same version, "->" is used as PHP to access the attention and method of the object.
{$obj->fullname}{$obj->method1()}
Repair your changes As we mentioned above, the appearance of smarty changes is determined by the same version. Therefore, smarty provides many ways to modify the changes. The method is as follows:
{Change number | repair function} <! -- When the modification function has no numeric value --> {Variable | modification function: "numeric value (not required, depends on the modification function)"} <! -- When the modification function has numeric values -->
Example:
{$ Var | nl2br} <! -- Convert the modified line character to <br/> -- >{$ var | string_format: "% 02d"} <! -- Format the variable data -->
Well, why should the same version determine its own appearance? Let's take a look at the HTML below. This is part of the intersection of a car.
<Input name = "Total" type = "hidden" value = "21000"/> total cost: 21,000 RMB
Generally, the same version of the engine may be as follows:
<Input name = "Total" type = "hidden" value = "{total}"/> total cost: {format_total} RMB
In their PHP program, perform the following steps:
<?php$total = 21000;$tpl->assign("total", $total);$tpl->assign("format_total", number_format($total));?>
The same version of smarty can be as follows:
<Input name = "Total" type = "hidden" value = "{$ total}"/> total cost: {$ Total | number_format: ""} RMB
In the PHP program of smarty, as long as this problem occurs:
<?php$total = 21000;$tpl->assign("total", $total);?>
Therefore, in smarty, we only need to specify a change number, and the rest can be handed over to the same version. Have you understood this? This is a good place for the version to determine the appearance of changes on its own!
Region for controlling the content density of the same version The author mentioned above that we can directly assign an assign to the same version of the orders column; however, if we want to display the multiple items selected by the database to the same version at a time, we need to print the information in a circle. In the same version, we can use the overwriting region to complete such an action.
In the smarty board, we need to repeat a region using two methods: foreach and section. In the program, we need assign as a parameter column. This parameter column can contain data groups. As shown in the following example:
First, let's look at how PHP programs are deployed:
Test2.php
<? Phprequire "Main. PHP "; $ array1 = array (1 =>" ", 2 =>" ", 3 =>" banana ", 4 =>" "); $ TPL-> assign ("array1", $ array1); $ array2 = array (Array ("index1" => "data1-1", "index2" => "data1-2 ", "index3" => "data1-3"), array ("index1" => "data2-1", "index2" => "data2-2", "index3" => "data2-3 "), array ("index1" => "data3-1", "index2" => "data3-2", "index3" => "data3-3 "), array ("index1" => "data4-1", "index2" => "Data 4-2 "," index3 "=>" data4-3 "), array (" index1 "=>" data5-1 "," index2 "=>" data5-2 ", "index3" => "data5-3"); $ TPL-> assign ("array2", $ array2); $ TPL-> display ("test2.htm");?>
The Layout Method of the same version is as follows:
Templates/test2.htm
<HTML>
After the preceding example, we found that the results of the two rows, whether foreach or section, are the same. So what is the difference between the two?
The first difference is that foreach needs to handle the changes in the two rows column of our assign in the form of a nest handler, the section uses the "primary region column [region name]. the entire shard column is displayed. From this we can see that the foreach in the same version of smarty is the same as the foreach in PHP; in contrast, section refers to the statement presented by smarty for handling the changes in the column above. Of course, the functions of Section are more than just that, except for the present nest information of the next section, the official manual also provides examples of corresponding sections.
However, you must note that the index of the comment column given to the section must be a positive integer starting from 0, that is, 0, 1, 2, 3 ,.... If the index of your primary column is not a positive integer starting from 0, you must use foreach to present your data. You can refer to this article in the official forum to explore section and foreach usage.
Presentation of nest metadata The most fascinating thing about the same version engine is the presentation of the nest metadata. many well-known similar version engines will specifically consider this point, however, in terms of smarty, This is the minor.
The most common nest information, even in the discussion program, is the main topic area. The result of the hypothetical settings is as follows:
Announcement Area |
|
Website announcement |
Liberal arts Region |
|
Qi Wen co-author |
Good introduction |
VPC Region |
|
Practical Discussion |
Hardware environment testing |
In the program, we first use the metadata as an example:
Test3_1.php
<? Phprequire "Main. PHP "; $ Forum = array (Array (" category_id "=> 1," category_name "=>" announcement Area ", "topic" => array (Array ("topic_id" => 1, "topic_name" => "website announcement"), array ("category_id" => 2, "category_name" => "document region", "topic" => array (Array ("topic_id" => 2, "topic_name" => ""), array ("topic_id" => 3, "topic_name" => "文 "))), array ("category_id" => 3, "category_name" => "Telecom region", "topic" => array (Array ("topic _ ID "=> 4," topic_name "=>" hardware environment variables "), array (" topic_id "=> 5, "topic_name" => "collective discussion"); $ TPL-> assign ("Forum", $ Forum ); $ TPL-> display ("test3.htm");?>
The Layout Method of the same version is as follows:
Templates/test3.htm
<HTML>
The results of the rows are as follows.
Therefore, in the program, we only need to try to add a unique record to the comment column, and then use {the first comment column [circle 1]. the second primary keys column [secondary ring 2]. the third primary keys column [circled 3] ...... using Column indexes} in this way, the value in each nested loop is displayed. So what method is used? We will repeat the next usage of the resource.
Information in the metadata The above mentioned how to show the nested loop. In practice, our resources may be retrieved from the library, therefore, we have to think of ways to convert the information of materials into the form of the above multi-metric columns. Here, the author uses mysqli to capture the information in the data pipeline. If you have other favorite data abstraction kits, the principle is similar.
We only modify the PHP program. The same version is also the one above (this is the good thing about the same version engine ~), The above example shows the captured information.
Test3_2.php
<? Phprequire "Main. PHP "; // create a resource named component $ mysqli = new mysqli (" localhost "," username "," password "," testdb "); // first create the first category Category column and SQL command $ Category = array (); $ sql1 = "select category_id, category_name from categories "; // capture the information in the first cycle if ($ result1 = $ mysqli-> query ($ sql1) {While ($ item_category = $ result1-> fetch_assoc ()) {// create the second sequence column and SQL command $ topic = array (); $ sql2 = sprintf ("select topic_id, topic_name from topics where Cat Egory_id = '% S' ", $ item_category ['category _ id']); // capture the information in the second round. If ($ result2 = $ mysqli-> query ($ sql2) {While ($ item_topic = $ result2-> fetch_assoc ()) {// push the captured information to the array_push ($ topic, $ item_topic);} $ result2-> close ();} // specify the second category column as a member of the item crawled by the First Category column $ item_category ['topic '] = $ topic; // push the first item into the array_push ($ category, $ item_category); $ result1-> close () ;}}$ mysqli-> close (); $ TPL-> assign ("Forum", $ categor Y); $ TPL-> display ("test3.htm");?>
After the item is crawled, we get a column containing the item. Based on the while statement and the array_push function, we have inserted the information in the item into the comment column. If you only use a single circle, remove the second circle.
Determines whether the content is displayed. To determine whether to display the content, we can use the if method for selection. For example, if the user has logged on, we can use the same version as below:
{If $ is_login = true} shows the user's operation list {else} lists the table orders that have been imported into the primary and secondary databases. {/if}
The general application of the IF statement method can be illustrated by official instructions, so the author will not introduce it here. However, attackers may find an interesting application: they often see a table in the program to generate the following: (data indicates the sort order of the data set)
This author assumes that "copying to relay the table 」. Its features are different from the traditional method of overwriting. in the previous article, we saw that the recovering table was from top to bottom, with only one item in a column. In contrast, you can generate n data records in a column to the ground, and then upload the next column until the entire circle ends. To implement such a function, you only need to use section and if in the simplest way.
Let's take a look at the following example:
Test4.php
<?phprequire "main.php";$my_array = array(array("value" => "0"),array("value" => "1"),array("value" => "2"),array("value" => "3"),array("value" => "4"),array("value" => "5"),array("value" => "6"),array("value" => "7"),array("value" => "8"),array("value" => "9"));$tpl->assign("my_array", $my_array);$tpl->display('test4.htm');?>
The Layout Method of the same version is as follows:
Templates/test4.htm
<HTML>
The focus is on $ smarty. section. sec1.rownum and $ smarty. section. sec1.total: The two smarty changes. In the section Primary circle, this rownum change will obtain the index value starting from 1, so when rownum can be divided by 2, </tr> <tr> to make the table comment column (note! Yes </tr> at the beginning <tr> at the end). Therefore, data 2 is the expected data volume in the column. Total will return the total amount of data, so let rownum trigger </tr> <tr> only when it is smaller than total, the last null <tr> </tr> cannot be found.
You can transform other different presentations.
External content We can add the PHP program example or another sub-version in the same version. The two smarty-like versions are used separately; demo_php users are rarely used. You can use this method to check the official website, which is not described here.
When using include, We can first import the sub-version, or manually import the sub-version. The primary key is usually used to publish a file with a common file title and copyright declaration. The dynamic key can be used in the framework of system 1, in the next step, you can pull skin like a Winamp. Of course, these two types can also be used in different ways.
Let's take a look at the following example:
Test5.php
<? Phprequire "Main. PHP "; $ TPL-> assign (" title "," include signature "); $ TPL-> assign (" content ", "Changes in version 2"); $ TPL-> assign ("dyn_page", "test5_3.htm"); $ TPL-> display('test5_1.htm');?>
The scheme of version 1 is as follows:
Templates/test5_1.htm
<HTML>
The scheme of version 2 is as follows:
Templates/test5_2.htm
<p>{$content}</p>
The scheme of version 3 is as follows:
Templates/test5_3.htm
<P> This is the content of version 3 </P>
The scheme of Version 4 is as follows:
Templates/test5_4.htm
<p>{$custom_var}</p>
Pay attention to the following points:
- All versions are based on the previously defined template_dir.
- In all the include child versions, the changes will also be resolved.
- You can use "variable = variable content" in "include" to specify the variables included in the imported version 4, as in version 4 above.
Example See the following examples.
For more information about smarty, see the author's example: "php smarty engine 」.