1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Implemented Provide the ability to call a php file directly from template

Discussion in 'Closed Suggestions' started by AndyB, Apr 3, 2013.

  1. AndyB

    AndyB Well-Known Member

    It would be awesome to be able to call a php file directly from a template without the need for an Addon and hook. For example:

    <xen: include "/path/script.php">
  2. digitalpoint

    digitalpoint Well-Known Member

    That would be a pretty big security issue...
    euantor and Nasr like this.
  3. AndyB

    AndyB Well-Known Member

    Hi Shawn,

    Curious what sort of things could go wrong.
  4. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    On several sites there is more than one person with access to the AdminCp, it is not uncommon to have an administrator and someone with access to the templates to "edit' the style of the site and make small changes.

    Giving the ability to run a file from the template engine gives whoever has access to the admincp the ability to execute any random file on the server, even if their access is restricted or if they did not have ftp or ssh access anyway. For a hacker it creates a tunnel from which to inject code into the site that it is hard to detect on top of it (since if someone edits a random template it is unlikely to be noticed).

    Plus, it is bad design. The templates are the "view". The view layer shouldn't go back into calling controller logic, it should not have access to anything else than the model, by the time we reach the view most of the processing is done and it is only displaying things.

    It is totally worth it to take the additional time and extend the controller to even execute or include whatever file is needed. All controllers can be extended in XF, and custom ones can be created.
    Chris D likes this.
  5. AndyB

    AndyB Well-Known Member

    Hi Rigel,

    Thank you for taking the time to explain some of the issues in allowing php in templates.

    I would like to address your two points.

    1) The issue regarding a rouge moderator injecting php into templates could be easily solved by disallowing any access to templates to moderators.

    2) I understand that in a perfect world code is written in a manner that is most efficient. But in the real world, admins like myself simply want to create modifications. I find that it's far simpler to modify the xenforo php and .js files directly. I make careful notes showing exactly what I have done and duplicating the hacks is extremely easy come upgrade time. I do the same type of documentation for all template mods.

    Currently I only have a few self created Addons which are simple template hooks calling php files. Being able to delete these addons and replace them with a php include in the template system would make life easier for me.
  6. Brogan

    Brogan XenForo Moderator Staff Member

    Implemented in 1.2 using xen:callback.
    JulianD, LPH and AndyB like this.
  7. AndyB

    AndyB Well-Known Member

    I quoted Mike's explanation about xen:callback, but it's over my head.

    Could someone explain how this callback would work. In my post #1 I was suggesting it would be great to be able to call a php file directly from a template. Brogan indicates this has been implemented by this xen:callback but to me it sounds like it's different than what I was asking for.

    How would the template call a php file using this xen:callback?
  8. EQnoble

    EQnoble Well-Known Member

    not knowing but guessing here...

    A file named AndyB.php in dir library/Andys/ that has the php that you want to use in a page node...

    <xen:callback class="Andys_AndyB" method="getHtml"><b>HTML that will be passed to the callback.</b></xen:callback>
  9. AndyB

    AndyB Well-Known Member

    Thank you, EQnoble. That would be great if that's how it will work.
  10. AndyB

    AndyB Well-Known Member

    I created a file called test.php with the following contents and saved under library/Andy/

    echo 'test';
    I added the following to the first line of my header template:

    <xen:callback class="Andy_test" method="getHtml"></xen:callback>
    When I display my forum, above the header is displayed "testtest". Why is test displayed twice? I also get an error message:

    Could not execute callback Andy_test::getHtml() - Not callable.

    What am I doing wrong?
    Last edited: Jun 20, 2013
  11. Jeremy P

    Jeremy P Well-Known Member

    @AndyB It needs to be a PHP file with a proper class and method. As indicated by the class and method attributes.
  12. AndyB

    AndyB Well-Known Member

    Hi Jeremy,

    I just updated post #10 to show exactly what I did. It is a file called test.php. I assume the contents need to be changed. Do you have any idea what the contents of test.php file should be if all I want to do is echo the word "test" ??

    Thank you.
  13. xf_phantom

    xf_phantom Well-Known Member

    The file should look like

    class AndyB_Test

    public static function getTest()


  14. xf_phantom

    xf_phantom Well-Known Member

    Just did a quick test, which is working fine:)

    My class:

    class XFP_Test{

        public static function 
    'my returned text';
    <xen:callback class="XFP_Test" method="getHtml"></xen:callback>
    Last edited: Jun 20, 2013
  15. AndyB

    AndyB Well-Known Member

    Thank you kindly, xf_phantom. The example in post #14 works perfectly.
  16. xf_phantom

    xf_phantom Well-Known Member

    OK, after a real play with this:
    if you want to use the full power, the callback method signature should look like

    public static function getHtml($content$paramsXenForo_Template_Abstract $template){

    template code
    <xen:callback class="XP_Test" method="getHtml" params="{xen:array 'foo=baz'}">content</xen:callback>

    class XP_Test{

        public static function 
    getHtml($content$params, \XenForo_Template_Abstract $template){
    $return '';

    $return .= 'passed content :  ' $content ."<br >";
    $return .= 'passed params : ' var_dump($params);
    // you can even attach a existing template to the output
    $templateParams = array();
    $t $template->create('template'$templateParams);
    $return .= $t;

    bill78, semprot, Adam K M and 5 others like this.
  17. LPH

    LPH Well-Known Member

    In this example, where is the file located? How do you set the path?
  18. Chris D

    Chris D XenForo Developer Staff Member

    Class names indicate the directory and file it belongs to.

    You convert the _ to / and put a .php on the end.


  19. xf_phantom

    xf_phantom Well-Known Member

    I thought you're much smarter, young Padawan:p

    classname => XFP_Test
    this means=>

    Chris D likes this.
  20. Chris D

    Chris D XenForo Developer Staff Member

    But not "Library" as that would screw with the case sensitivity on most web servers :p
    SneakyDave and xf_phantom like this.

Share This Page