In my webapp I allow my enterprise customers to completely customize one of their weppages. But these webpages are still part of my webapplication and are hosted on my server.
My customers should be able to completely design their webpage with CSS, HTML and Javascript. And I also want to give them access to specific dynamic variables. I have 3 different options to give them access to these variables:
- Using str_replace, so that I just replace certain variable-names in their webpage with the corresponding dynamic value
- Using some kind of template engine like smarty, which they can use within their webpage
- Using PHP itself, so that they can use certain php variables
I actually think the third option is the best, because PHP already works great as a templage engine. But If I just let them upload anykind of php fil,e my customers could also call functions and fire database queries, because their code has permission limitation.
Is there anyway to use a php-file, but just give this php file access to a certain amount of predefined variables? Especially without the permission to do database-querys, reading global-variables, saving content to the server or any other actions that could cause security issues.