[Crempa]

Hi,
I love Lemonstand philosophy of entensions and API structure but... is it safe to use eval() for CMS rendering from blocks saved in database? Do you use some protection for things like unlink(index.php) in partials for example?
I think that somebody with database access can unobserved change behaviour of eshop. Is it possible to disable evaluating code from database after setting eshop pages/partials etc. ?

Please don't understant it as criticism, I don't study source code too deeply, I'm only a little nervous if I see things like eval($this->page->pre_action);

Thank you

[Aleksey]

Hi,

We do not use protection mechanism like you mentioned because of the following reasons. 1) If somebody has a database access to your store it already means that your business can be ruined (for example by deleting the orders table). 2) Including files (instead of eval()) is vulnerable to the same extent if somebody has a file access to your server. It is not possible to protect a store from all possible hacker attacks with only PHP. You should take care of your server security so that nobody but system administrators would have access to the database and files.

Thank you

[Eric]

And always have recent backups of both files and database.