separate php file as template - security hazard?

Question

I was looking at templating systems for php, and I've come to believe that pure php code seems to be the solution I want to use.

I'm the lone developer, so there's no designers who need a nerfed arena to work in. Template engines like smarty seem to suffer from the "Inner-platform effect". If I stick with good practices ( pre-computed values, use only foreach ), I think this will work.

My goal is to have a single source for the string of the html shared by each page. My thought is that a separate php file, accessed via include, is a good way to meet this goal.

However, I'm concerned that that might pose a security hazard for the site -- I can't think of anything specific at the moment, but someone could guess the name of the template and request it directly, perhaps exposing something they needn't see. (I suppose I could put in a check to see if it itself is the request.) I have a hunch this could be bad, so I don't want to go ahead and do it, create what I feared would happen, and then throw that work away.

If a separate file is not the best idea, what else should I use to basically store a string for the whole site? A string constant in an include, that I could use in sprintf()? A function that returns the html string from arguments of the page-specific html parts?

Answer 1

Files that should not be served via HTTP should be stored in a directory from which your webserver will not allow anything (not PHP, at least) to be served to the users.

Two possibilities :

• put those files outside of the DocumentRoot
• or put those files in a sub-directory, from which Apache will not be able to serve any file.

Such "not served" files generally include stuff like :

• configuration files
• libraries / frameworks
• data files (like an SQLite database, for instance ; or i18n files)

The first solution : your directories could look like this :

• data/
  • i18n/
  • i18n/your-file-here.php
• library/
• www/            <- this is Apache's DocumentRoot
  • index.php
  • another-php-file.php

And for the second solution, just disable access to the directory containing your "data" or "libraries" files, putting in it a .htaccess (If your webserver is Apache) file containing something like

Deny From All

With that, Apache will not allow anyone to directly access via HTTP the files in that directory, but your executable PHP script (in another directory) will still be able to include them.

Answer 2

Simple, really; Name the file whatever you want, but use ".inc.php" as the extension, then include this line at the top of the file:

if (basename(__FILE__) == basename($_SERVER['SCRIPT_FILENAME'])) {
    die;
}

this will kill the script if the file is accessed directly.

EDIT: Pascal Martin's solution is probably more in keeping with BCP, whereas mine is more quick-and-dirty. I've used both, and either seems to be fine.