{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 看我几分像从前 的问题《Smarty : evaluate a template stored in a PHP varia》','https://www.manongdao.com/q-557174.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
i have a php variable which has html/smarty code in it
$x='<a href="{$link}" >{$title}</a>';
This data is fetched from database , i want to evaluate it using smarty and put the output into a php variable (to print it out or to save it to the database again) .
Thanks
Edit :
i want the content of X to be evaluated using smarty , as if the content of x is stored in a file.tpl then $y=$smarty->fetch('file.tpl'); ... want to do it without the need to save the content of x into a file
See "Example 15.9. Using custom resources" here: http://www.smarty.net/docsv2/en/template.resources
If I am following you, you mean that the whole string was in the database, that is, with {$link} as part of the string. I'm not sure how smarty works exactly, but it seems to me that if it even can do this, that string will have to have eval() run on it. (Unless smarty is doing something funky that I'm missing, again, I don't work with smarty)
What this means is you have a VERY insecure setup here. Should your database ever suffer an SQL injection, your whole server could be compromised.
Running these off a file that was hard coded into the app is not a huge security concern, since you have control over the code that called the .tpl, and you have control over the .tpl itself. That is a 'safe' use of eval, as you'd have to have some serious access to the server already to be able to exploit it, the kind of access that would be the reason to exploit it.
But once you access that data from a database, presumably with some kind of admin system that let's you add new dynamic templates, you have created a window into your system that an attacker might sneak into.
None of the examples above worked for me, possibly because we're using an older version of smarty at the moment. A solution that did work for us was to create a template, which we called
eval.tplwhich contained the following line only:Then, when we wanted to evaluate the string, we could simply use the following:
If you aren't using Smarty 3 and you don't have the string/eval resource the you can use the Smarty eval plugin. I found this much simpler than creating a custom resource and much less problematic.
If you're using Smarty 3, you can easily do it by
or
'eval:'.$template_string. more about it in the manual