<HTML ><HEAD ><TITLE >$security</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Smarty Manual" HREF="index.html"><LINK REL="UP" TITLE="Smarty Class Variables" HREF="api.variables.html"><LINK REL="PREVIOUS" TITLE="$php_handling" HREF="variable.php.handling.html"><LINK REL="NEXT" TITLE="$secure_dir" HREF="variable.secure.dir.html"><META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=ISO-8859-1"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Smarty Manual</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="variable.php.handling.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 12. Smarty Class Variables</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="variable.secure.dir.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="variable.security" ></A >$security</H1 ><P > <TT CLASS="parameter" ><I >$security</I ></TT > can be <TT CLASS="constant" >TRUE</TT > or <TT CLASS="constant" >FALSE</TT >, defaults to <TT CLASS="constant" >FALSE</TT >. Security is good for situations when you have untrusted parties editing the templates eg via ftp, and you want to reduce the risk of system security compromises through the template language. Turning on security enforces the following rules to the template language, unless specifially overridden with <A HREF="variable.security.settings.html" > <TT CLASS="parameter" ><I >$security_settings</I ></TT ></A >: </P ><P ></P ><UL ><LI ><P >If <A HREF="variable.php.handling.html" ><TT CLASS="parameter" ><I >$php_handling</I ></TT ></A > is set to <TT CLASS="constant" >SMARTY_PHP_ALLOW</TT >, this is implicitly changed to <TT CLASS="constant" >SMARTY_PHP_PASSTHRU</TT > </P ></LI ><LI ><P > PHP functions are not allowed in <A HREF="language.function.if.html" ><TT CLASS="varname" >{if}</TT ></A > statements, except those specified in the <A HREF="variable.security.settings.html" ><TT CLASS="parameter" ><I >$security_settings</I ></TT ></A > </P ></LI ><LI ><P > Templates can only be included from directories listed in the <A HREF="variable.secure.dir.html" ><TT CLASS="parameter" ><I >$secure_dir</I ></TT ></A > array </P ></LI ><LI ><P > Local files can only be fetched from directories listed in the <A HREF="variable.secure.dir.html" ><TT CLASS="parameter" ><I >$secure_dir</I ></TT ></A > array using <A HREF="language.function.fetch.html" ><TT CLASS="varname" >{fetch}</TT ></A > </P ></LI ><LI ><P > <A HREF="language.function.php.html" ><TT CLASS="varname" >{php}{/php}</TT ></A > tags are not allowed </P ></LI ><LI ><P > PHP functions are not allowed as modifiers, except those specified in the <A HREF="variable.security.settings.html" ><TT CLASS="parameter" ><I >$security_settings</I ></TT ></A > </P ></LI ></UL ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="variable.php.handling.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="variable.secure.dir.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >$php_handling</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="api.variables.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >$secure_dir</TD ></TR ></TABLE ></DIV ></BODY ></HTML >