Posted by Jochem Maas on 10/15/14 11:20

Matthew Weier O'Phinney wrote:
> * "Jim MacDiarmid" <jim.macdiarmid@comcast.net>:
>
>>I'm very new to Smarty so I'm hoping someone can help me.
>>
>>Can someone explain how the $smarty.session.user variable is set? Is this
>>something native to smarty or something unquie to the sample code I have?
>
>
> Smarty loads most of the superglobal variables (_GET, _POST, SESSION,

I never realised Smarty made all the superglobals available -
seems like madness to me.

GET/POST/REQUEST/COOKIE etc are tainted data - they should *never* be
available on the output end, IMHO, Smarty is aimed at designers (or
so I keep hearing) - wtf does a designer know about XSS, entity encoding,
etc, etc? if the designer knows enough about the relevant issues
to safely/correctly use POST/GET data then he/she is capable of undertanding
'complex' structure of [php5's] object syntax (for instance) .. but it
has been repeatly argued here that thing 'must be kept simple' for the
designer (and not confuse him with programming nuances) ....

ERGO a big wall should be put between incoming Request data and the designer,
because allowing the possiblity of doing something nasty with POST/GET/etc
is just as 'dangerous' (if not more so) than giving a designer the possiblity
of using more complex syntax (especially given that a programmer would have to
write the object _and_ make it available in the template.

anybody care to explain that?

also SESSION/ENV/SERVER are for programmers not designers. again MO

> etc.) as keys of the $smarty variable. For $smarty.session to be set,
> you'll need to call session_start() in the script that creates the
> Smarty object. To make sure that $smarty.session.user is set, you'll
> also need to set $_SESSION['user'] in that same script, or in a previous
> script available in the same session.
>

[Back to original message]