Template Conditionals

This is essentially a more restrictive version of my PHP in Templates plugin.  The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin.  Both plugins are very similar though.  The differences between this and the other plugin are:

• Admins cannot enter PHP code using <?php ?> tags
• Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
• file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
• There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
  Example (prints 123654321):
  HTML Code

  123<?=substr("987654321", 3)?>

  ---

• There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array.  Examples:
  (just prints some text)
  
  HTML Code

  <setvar uselesstext>"some text"</setvar> {$tplvars['uselesstext']}

  ---

  (prints out the username of the user with UID of 2)
  

  HTML Code

  <setvar user2>get_user(2)</setvar> <func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>

  ---

v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:

• no assignment/modification operators (=, +=, |=, ++ etc) allowed
• no statements such as include, exit, eval etc are allowed
• no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
• backtick (`) operator not allowed
• heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
• double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
• array and object typecasting not allowed
• no variable functions or method calls allowed
• single line comments (//, #) not allowed
• only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions
  

[eldenroot]

Hi,

I use XThreads and I have this situation:
1) I use image custom fields together with a text field... how to make template condition working if no image and no text is added -> so show this text "NO INFO AVAILABLE". Thank you?

My fields are mpcode and mpimage

[ZiNgA BuRgA]

(04-06-2018 12:46 PM)Sama34 Wrote:  I just realized you didn't include the my_setcookie() and my_unsetcookie() functions into the white list file. Is there any reasoning behind it or you just didn't feel like adding them ?

Modifying cookies in templates is kinda weird.  It feels a bit too dangerous for this plugin (can probably modify HTTP headers?), so probably best to avoid it I think.

(07-07-2018 12:40 PM)leibovich Wrote:  I'm trying to show ADVs on specific foruns , but i'm get one error whe i'm using the IF statment.. see:

<if $GLOBALS['style']['fid'] != '9'  then>{myadvertisements[zone_1]}</if>
<if $GLOBALS['style']['fid'] ==  '9'  then>{myadvertisements[zone_4}</if>

If i use "!=" it works ok... but if i use "==" it don't work ... it prints on the page "{myadvertisements[zone_4}"

Bit confused by your example.  If that code is put in templates as shown, {myadvertisements...} won't evaluate to anything as there's a missing $.

(09-17-2018 05:19 AM)eldenroot Wrote:  I use XThreads and I have this situation:
1) I use image custom fields together with a text field... how to make template condition working if no image and no text is added -> so show this text "NO INFO AVAILABLE". Thank you?

My fields are mpcode and mpimage

Key variables are {$GLOBALS['threadfields']['mpcode']} and {$GLOBALS['threadfields']['mpimage']}.

[Turmoil]

Hi and thanks for this plugin, its great.
I am testing with PHP 7.0 on Windows and IIS and it all works fine
e.g. expressions such as <if $mybb->user['uid'] then>...</if>.
My hosting site is Linux with PHP 8.0 and this is failing with the following:

/index.php line 18 require_once
/global.php line 961 phptpl_templates->get
/inc/plugins/phptpl.php(66): eval()'d code line 19 phptpl_parsetpl
/inc/plugins/phptpl.php line 77 tplcond::parsetpl
/inc/plugins/phptpl.php line 112 preg_replace_callback_array
[PHP] tplcond::{closure}

My guess, is this is a PHP 8.0 incompatibility (any news on a PHP 8 version of this plugin?). If it's not that, can you give any help on how I diagnose this problem further?
Thanks again for your work.

[Turmoil]

Sorry, missed a key line of output:
Warning [2] Undefined array key 2 - Line: 95 - File: inc/plugins/phptpl.php PHP 8.0.27 (Linux)

[Darojax]

Hello, thanks for your plugin. However, I have an issue with the following statement in the header template:

<if $mybb->user['usergroup'] == 4>
    <div>TEST</div>
</if>

I'm trying to make the text TEST appear for admins (which are gid 4), but whenever I enter this in the template I get a (HTTP) 500 Internal Server Error.

Checking the cPanel error log this seems to be happening:

PHP Parse error: syntax error, unexpected ')' in /home/forum/htdocs/forum.16aa.net/global.php(961) : eval()'d code on line 19

This only occurs when I try to run the if statement, otherwise everything works fine.

Any advise or suggestions would be welcome. Thanks!

[Gerti]

(08-17-2023 11:23 PM)Darojax Wrote:  <if $mybb->user['usergroup'] == 4>
    <div>TEST</div>
</if>

Just write the statement (1st line) correctly:

Code:

<if $mybb->user['usergroup'] == 4 then> <div>TEST</div> </if>

---

[MisterHelp]

EDIT

I worked out the problem. The global_start hook within phptpl was the same as MyAlerts. MyAlerts refers to global_start lots of times, whereas phptpl only refers to it once. So I changed the below in phptpl:

$plugins->add_hook('global_start', 'phptpl_run');

To:

$plugins->add_hook('phptpl_global_start', 'phptpl_run');

And the edit conflict is now fixed.

Original post

I installed "Template Conditionals" but when I click "Quick Edit", it simply says "Loading..." and won't do any more. "Full edit" works without problems. I also uninstalled and entirely deleted "Template Conditionals" and tried "PHP in Templates" and the same happens.

I turned on error reports and it gave me the below error:

Code:

1 2 3 4 5 6

<br /> <b>Fatal error</b>:  Cannot declare class phptpl_templates, because the name is already in use in <b>/var/www/mybb/inc/plugins/phptpl.php(67) : eval()'d code</b> on line <b>2</b><br />

---

I've gone through and deactivated plugins and MyAlerts is causing the error mentioned. With MyAlerts deactivated, Quick Edit works fine.

Does anyone know how to fix? My board is on PHP 7.4.

Thank you!

[Anonymous]

Hi, I recently came across a thread on MyBB Support from someone that asked about randomizing polls, and another user replied that they could use this plugin to do so, how could this be done, as a user with no coding experience? The idea sounds interesting, and I would like to do the same.

If it helps, here is the post in question.

https://community.mybb.com/thread-227890...https://community.mybb.com/thread-227890-post-1350023.html#