So, I’ve got a project I’m working on for a pet supply drop-ship facilitator. The service allows users to open accounts. Each account comes with a Store for users to market and sell products with. Users can specify which products they’d like to include in their stores, and use either pre-made themes or custom themes to skin their stores with. The whole system is pretty similar to what Shopster.com offers.
The system is built on top of the CodeIgniter framework, and I’ve got nearly everything working…the product is really rock solid…with one exception.
For security reasons, I’m requiring that theme designers use Smarty Template syntax instead of PHP code to interface with data I’m sending to their stores.
Oddly (I’d think this would be standard for Smarty to do) Smarty isn’t removing PHP code when it’s passed through the parser, so PHP code is being executed on runtime. Shouldn’t removing PHP code be standard practice for the Smarty parser? Is it? I’m considering that maybe it’s the CodeIgniter integration class that’s causing the problem…but I’m not sure. I can’t see anything in the code that would cause the problem. If it IS in fact malfunctioning, can somebody tell me why? I’m lost…
If it’s not malfunctioning and it’s just a feature that Smarty is currently lacking, my solution is going to be to use REGEX to parse the templates when they’re submitted and remove any PHP code there, before permanently storing anything on my server. Is this the best way to do it? Can anybody think of a safer way to strip all PHP tags from these files?
Thanks in advance! 
