A tag used to obtain the value of a variable passed though an #INCLURE of from a URL

  • New in : SPIP 1.8

[(#ENV{variable, default_value})] (since SPIP 1.8, 1.8.1)

#ENV{variable} is used to retrieve environment variables for a template, also known as its context [1].

A template can be passed this variable from the URL (the HTTP request) or from a file that it includes, or from the results of a form.

Example of a variable passed in the URL: spip.php?rubrique24&id_mot=5
Within rubrique.html, #ENV{id_mot} equals 5.

Example of a variable passed in an INCLURE:<INCLURE{fond=my_template} {id_article=136}>
Within my_template.html, #ENV{id_article} equals 136.

Default values

[(#ENV{variable, default_value})]: the optional parameter default_value contains the value that will be returned if the variable does not exist in the current context (equivalent to [(#ENV{variable}|sinon{default_value})]).

This is useful when one template is included by several other templates, and when a different behaviour is required depending on different contexts.

bypassing the security processes

By default, SPIP applies the interdire_scripts and entites_html scripts to the #ENV tag. Just as with any other tag, these automatic SPIP processes can be omitted using #ENV* and #ENV** (please refer to the article named #TAG* and #TAG** on how to use * and ** ).

#ENV* returns the variable without applying the entites_html filter, that is, without converting all the special characters into their equivalent HTML entities.
#ENV** returns the variable without applying the interdire_scripts function. It therefore returns content with any embedded PHP code already executed. [2]
This can pose a security problem if this variable is passed a code injection attack. This is why interdire_scripts is provided by default to disable any < and other <script language=php> references contained in the variable.

Nevertheless, #ENV** has a useful application when constructing some forms. Using the double asterisk is then necessary for displaying CVT forms. For example, to retrieve the table of errors within the form’s template file:



[1For security reasons, #ENV can not retrieve (nor display) variables named as PHPSESSID or any variables that start with var_ (e.g. var_mode and var_profile).

[2imagine a very simple form:

<form method="get">
<input type="text" name="test" value="#ENV{test}"> <input type="submit">
#ENV{test}<br />
#ENV*{test}<br />
#ENV**{test}<br />

within the displayed form, we could enter: <?php echo date('Y-m-d'); ?> into the "test" field and then validate.

-  #ENV{test} will return (source html) : &lt;?php echo date('Y-m-d'); ?&gt;
-  #ENV*{test} will return (source html) : &lt;?php echo date('Y-m-d'); ?>
-  #ENV**{test} will return (source html) : 2009-02-12 i.e. the executed PHP code.

Author Mark Published : Updated : 26/10/12

Translations : عربي, català, English, Español, français, Nederlands, русский, Türkçe, українська