Template Conditionals

This is essentially a more restrictive version of my PHP in Templates plugin.  The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin.  Both plugins are very similar though.  The differences between this and the other plugin are:

• Admins cannot enter PHP code using <?php ?> tags
• Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
• file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
• There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
  Example (prints 123654321):
  HTML Code

  123<?=substr("987654321", 3)?>

  ---

• There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array.  Examples:
  (just prints some text)
  
  HTML Code

  <setvar uselesstext>"some text"</setvar> {$tplvars['uselesstext']}

  ---

  (prints out the username of the user with UID of 2)
  

  HTML Code

  <setvar user2>get_user(2)</setvar> <func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>

  ---

v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:

• no assignment/modification operators (=, +=, |=, ++ etc) allowed
• no statements such as include, exit, eval etc are allowed
• no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
• backtick (`) operator not allowed
• heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
• double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
• array and object typecasting not allowed
• no variable functions or method calls allowed
• single line comments (//, #) not allowed
• only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions
  

[ZiNgA BuRgA]

(06-24-2016 11:16 PM)Destroy666 Wrote:  Mainly the 2 mentioned above, perhaps also format_time_duration. The rest is not really usable in templates.

Thanks, I've added it to the code and should be available on next release.

(08-27-2016 05:56 AM)xQu Wrote:  Why when i using

Code:

<?php include 'file.php'; ?>

---

in Chrome Developer Tools in Source i can see

Code:

<!--?php include 'file.php'; ?--!>

---

Mybb change < to <!--

I don't get that at all, but Template Conditionals doesn't allow PHP like that anyway.

[xQu]

So how i can include file to index template?

[ZiNgA BuRgA]

Please read the first post in this thread.

[Niki]

Is it possible to pull a count of how many users are in X group?

Also is it possible to pull a count of how many users in said X group have a custom profile field set to yes or no?

I'm thinking 'census' like here. So for example I have

Faction 1 (usergroup)
Faction 2 (usergroup)
Sex (profile field = male or female)

I want to count how many are in Faction 1, then I would like to count how many males are in faction one and how many females)
And repeat for Faction 2.

[RateU]

Assuming you know how to do that (the query and etc), use the PHP in Templates / Complex Templates plugin or use dedicated script/plugin.

[Niki]

I actually don't know how to do that query wise. Which is why I was wondering if it was just something that could be done quickly by a statement lol.

I'm assuming not now, so I'll look into creating a script/plugin and see what I can figure out.

[eldenroot]

Hi, I would like ask you for a small advise:
I use this type of custom field:
- input field type: file
- editable/required by: everyone
- valid file expression: gif|png|jpg|jpeg
- maximum file size: 2097152
- image thumbnail generator: 90x135|320x240

I need to set into the field: Blank replacement Value - show a default image (myboard.com/defaultimage.png) automatically if there is no image added by user. How to do that, thank you!

[Niki]

(08-10-2017 01:21 AM)eldenroot Wrote:  Hi, I would like ask you for a small advise:
I use this type of custom field:
- input field type: file
- editable/required by: everyone
- valid file expression: gif|png|jpg|jpeg
- maximum file size: 2097152
- image thumbnail generator: 90x135|320x240

I need to set into the field: Blank replacement Value - show a default image (myboard.com/defaultimage.png) automatically if there is no image added by user. How to do that, thank you!

You should do an else statement then. Something like this:

Code:

<if $userfields['fid#'] then>{$userfields['fid#']}<else then><else />The stuff to show up if profile field is not filled in should be placed here.</if>

---

[Sama34]

I just realized you didn't include the my_setcookie() and my_unsetcookie() functions into the white list file. Is there any reasoning behind it or you just didn't feel like adding them ?

I found it useful recently for my personal site but I'm unsure if there might be "issues" in more "collaborative" settings (where users can edit templates, at least) that I should take into consideration.

[leibovich]

Thank you very much for this plugin.

I'm trying to show ADVs on specific foruns , but i'm get one error whe i'm using the IF statment.. see:

<if $GLOBALS['style']['fid'] != '9'  then>{myadvertisements[zone_1]}</if>
<if $GLOBALS['style']['fid'] ==  '9'  then>{myadvertisements[zone_4}</if>

If i use "!=" it works ok... but if i use "==" it don't work ... it prints on the page "{myadvertisements[zone_4}"

If i use a single "=" it not work too ...

I'm using the 1.8.16 mybb ... How can i solve this ?

Can i use CASE THEN statment ?