Re: [PHPTAL] Cache / Compilation behavior
Kornel Lesinski wrote: On Thu, 08 May 2008 15:46:42 +0100, Brice Burgess <[EMAIL PROTECTED]> wrote: From the responses received thus far; it looks like PHPTAL does depend on a user-configured writable directory to compile its templates to? By default it uses PHP's sys_get_temp_dir() to get writeable directory and if that fails, falls back to standard temp paths (supports Windows). User doesn't have to configure anything. It should just work on any sane setup. The option is there only for insane setups ;) You can catch (IMHO very rare) case when server doesn't have writeable temp dir: if (!is_dir($phptal->getPhpCodeDestination()) || !is_writeable($phptal->getPhpCodeDestination())) { // display setup instructions and/or change configuration with $phptal->setPhpCodeDestination() } Alright. Good to hear that PHPTAL takes advantage of PHP's temp/session directory by default. I had a feeling it may. Thanks also for your compile dir write failure detection case! Now commences the uphill quest of raising the bar to PHP 5 && dropping smarty. ;) We'll see who wins. ~ Brice ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal
Re: [PHPTAL] Cache / Compilation behavior
On Thu, 08 May 2008 15:46:42 +0100, Brice Burgess <[EMAIL PROTECTED]> wrote: My apologies for being vague. I meant 777 as the "lowest common denominator" because it's the "easiest". poMMo is open source software that is meant to be simple to install. The vast majority of users don't know what an "owner" is, let alone the user in which the webserver runs under. Also, the software (kind of) supports IIS, so I don't like to rely on .htaccess files to accomplish anything. --- From the responses received thus far; it looks like PHPTAL does depend on a user-configured writable directory to compile its templates to? Is it possible to store compilations in a MySQL table -- and get rid of the directory dependence? By default it uses PHP's sys_get_temp_dir() to get writeable directory and if that fails, falls back to standard temp paths (supports Windows). User doesn't have to configure anything. It should just work on any sane setup. The option is there only for insane setups ;) Currently it's not possible to store compiled templates in the DB. I applaud your intention of making easily installable application, but I'm not convinced that DB storage is needed and worth the effort. Among other things it would involve use of eval() which makes it impossible for PHP accelerators like APC to cache templates. You can catch (IMHO very rare) case when server doesn't have writeable temp dir: if (!is_dir($phptal->getPhpCodeDestination()) || !is_writeable($phptal->getPhpCodeDestination())) { // display setup instructions and/or change configuration with $phptal->setPhpCodeDestination() } -- regards, Kornel ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal
Re: [PHPTAL] Cache / Compilation behavior
Kornel Lesinski wrote: On Thu, 08 May 2008 02:43:45 +0100, Brice Burgess <[EMAIL PROTECTED]> wrote: Having users set proper permissions on a "working" directory crosses eyes... let alone the introduces the possibility of a security risk as "777" is the lowest common denominator here! 0700 is the lowest, if you make this directory owned by web server process. My apologies for being vague. I meant 777 as the "lowest common denominator" because it's the "easiest". poMMo is open source software that is meant to be simple to install. The vast majority of users don't know what an "owner" is, let alone the user in which the webserver runs under. Also, the software (kind of) supports IIS, so I don't like to rely on .htaccess files to accomplish anything. --- From the responses received thus far; it looks like PHPTAL does depend on a user-configured writable directory to compile its templates to? Is it possible to store compilations in a MySQL table -- and get rid of the directory dependence? Many thanks, ~ Brice ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal
Re: [PHPTAL] Cache / Compilation behavior
On Thu, 08 May 2008 10:43:27 +0100, Iván -DrSlump- Montes <[EMAIL PROTECTED]> wrote: What about using an .htaccess to deny access on the output directory? In the ideal case scenario it should be outside the document root of the web server (not accessible from the internet). Of course they should be outside of web server root (although they're rather harmless, because the template code is in a function. The compiled template files when executed from outside will not execute template code and will not reveal any data). I assume the extra protection is needed to protect from other users that have access to the file system or just to harden website against attacks. -- regards, Kornel ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal
Re: [PHPTAL] Cache / Compilation behavior
What about using an .htaccess to deny access on the output directory? In the ideal case scenario it should be outside the document root of the web server (not accessible from the internet). Iván On Thu, May 8, 2008 at 11:09 AM, Kornel Lesinski <[EMAIL PROTECTED]> wrote: > On Thu, 08 May 2008 02:43:45 +0100, Brice Burgess <[EMAIL PROTECTED]> wrote: > > > > Having users set proper permissions on a "working" directory crosses > eyes... let alone the introduces the possibility of a security risk as "777" > is the lowest common denominator here! > > > > 0700 is the lowest, if you make this directory owned by web server process. > > > If you're very concerned about having PHP files writeable, you can force > PHPTAL to compile everything beforehand (e.g. in Makefile or install script) > and then make these files read-only, e.g.: > > foreach($all_template_files as $file) > { > $phptal->setTemplate($file); > $phptal->prepare(); > chmod($phptal->getCodePath(), 0400); > } > > but I don't recommend this, because PHPTAL will panic if you later change > source files and it won't be able to recompile them. > > -- > regards, Kornel > > > > ___ > PHPTAL mailing list > PHPTAL@lists.motion-twin.com > http://lists.motion-twin.com/mailman/listinfo/phptal > ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal
Re: [PHPTAL] Cache / Compilation behavior
On Thu, 08 May 2008 02:43:45 +0100, Brice Burgess <[EMAIL PROTECTED]> wrote: Having users set proper permissions on a "working" directory crosses eyes... let alone the introduces the possibility of a security risk as "777" is the lowest common denominator here! 0700 is the lowest, if you make this directory owned by web server process. If you're very concerned about having PHP files writeable, you can force PHPTAL to compile everything beforehand (e.g. in Makefile or install script) and then make these files read-only, e.g.: foreach($all_template_files as $file) { $phptal->setTemplate($file); $phptal->prepare(); chmod($phptal->getCodePath(), 0400); } but I don't recommend this, because PHPTAL will panic if you later change source files and it won't be able to recompile them. -- regards, Kornel ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal
Re: [PHPTAL] Cache / Compilation behavior
Yes, PHPTAL uses a temporary directory to store compiled versions of the templates. It uses system's tmp directory by default (via sys_get_temp_dir() function or intelligent guess) - and if that doesn't suit you, you can always configure it by a PHPTAL_PHP_CODE_DESTINATION constant or setPhpCodeDestination() method. Check the source code for details. ___ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal