Smarty : evaluate a template stored in a PHP variable

Question

i have a php variable which has html/smarty code in it

$x='<a href="{$link}" >{$title}</a>';

This data is fetched from database , i want to evaluate it using smarty and put the output into a php variable (to print it out or to save it to the database again) .

Thanks

Edit :

i want the content of X to be evaluated using smarty , as if the content of x is stored in a file.tpl then $y=$smarty->fetch('file.tpl'); ... want to do it without the need to save the content of x into a file

i want the content of X to be evaluated using smarty , as if the content of x is stored in a file.tpl then $y=$smarty->fetch('file.tpl'); ... want to do it without the need to save the content of x into a file — Rami Dabain, Nov 30 '10 at 15:02

score 14 · Accepted Answer · answered Nov 30 '10 at 15:36

14

If you're using Smarty 3, you can easily do it by

$smarty->fetch('string:'.$template_string);

or 'eval:'.$template_string. more about it in the manual

answered Nov 30 '10 at 15:36

meze

14,975
4
47
52

score 5 · Answer 2 · edited Nov 23 '12 at 16:04

5

If you aren't using Smarty 3 and you don't have the string/eval resource the you can use the Smarty eval plugin. I found this much simpler than creating a custom resource and much less problematic.

$template = "put some {$variables} in here"
require_once( $smarty->_get_plugin_filepath( 'function', 'eval' ));
$compiled = smarty_function_eval(array('var'=>$template), $smarty);

edited Nov 23 '12 at 16:04

bluish

26,356
27
122
180

answered Nov 23 '12 at 15:43

Peter

51
1
1

score 5 · Answer 3 · answered Oct 15 '13 at 13:37

5

None of the examples above worked for me, possibly because we're using an older version of smarty at the moment. A solution that did work for us was to create a template, which we called eval.tpl which contained the following line only:

{eval var=$string}

Then, when we wanted to evaluate the string, we could simply use the following:

$smarty->assign('string', $string);
$result = $smarty->fetch('eval.tpl');

answered Oct 15 '13 at 13:37

AntonChanning

509
2
13
37

i would like to know what version are you using ? – Rami Dabain Oct 15 '13 at 14:13
@RonanDejhero How do I find out? Another developer added smarty to our codebase ages ago, and I can't see any version number in Smarty.class.php – AntonChanning Oct 15 '13 at 14:42
@RonanDejhero Wait, actually it was in there as a property of the class. It is version '2.6.18'. – AntonChanning Oct 15 '13 at 14:53

score 2 · Answer 4 · answered Nov 30 '10 at 15:06

2

See "Example 15.9. Using custom resources" here: http://www.smarty.net/docsv2/en/template.resources

answered Nov 30 '10 at 15:06

initall

2,385
19
27

score 2 · Answer 5 · answered Nov 30 '10 at 15:13

If I am following you, you mean that the whole string was in the database, that is, with {$link} as part of the string. I'm not sure how smarty works exactly, but it seems to me that if it even can do this, that string will have to have eval() run on it. (Unless smarty is doing something funky that I'm missing, again, I don't work with smarty)

What this means is you have a VERY insecure setup here. Should your database ever suffer an SQL injection, your whole server could be compromised.

Running these off a file that was hard coded into the app is not a huge security concern, since you have control over the code that called the .tpl, and you have control over the .tpl itself. That is a 'safe' use of eval, as you'd have to have some serious access to the server already to be able to exploit it, the kind of access that would be the reason to exploit it.

But once you access that data from a database, presumably with some kind of admin system that let's you add new dynamic templates, you have created a window into your system that an attacker might sneak into.

On the other hand, if the system has already suffered an SQL injection, running eval in smarty is probably the least of your concerns. — AntonChanning, Nov 14 '19 at 10:41

Smarty : evaluate a template stored in a PHP variable

5 Answers5

Linked