Restricting certain php files to just being able to access specific variables

Question

In my webapp I allow my enterprise customers to completely customize one of their weppages. But these webpages are still part of my webapplication and are hosted on my server.

My customers should be able to completely design their webpage with CSS, HTML and Javascript. And I also want to give them access to specific dynamic variables. I have 3 different options to give them access to these variables:

• Using str_replace, so that I just replace certain variable-names in their webpage with the corresponding dynamic value
• Using some kind of template engine like smarty, which they can use within their webpage
• Using PHP itself, so that they can use certain php variables

I actually think the third option is the best, because PHP already works great as a templage engine. But If I just let them upload anykind of php fil,e my customers could also call functions and fire database queries, because their code has permission limitation.

Is there anyway to use a php-file, but just give this php file access to a certain amount of predefined variables? Especially without the permission to do database-querys, reading global-variables, saving content to the server or any other actions that could cause security issues.

Answer 1

A template engine is the way to go. Securing PHP would be quite hard, if not impossible. I do not know your scenario, or your clients, but in my experience they abuse such an opportunity much more than they use it. Thats even more true, if they have no database access, as that would be the only real reason to have PHP.