Of course! Let's dive deep into {dede:field name='body' runphp='yes'}. This is one of the most powerful and commonly used features in DedeCMS (织梦内容管理系统), but it can also be a source of confusion and security risks if not used correctly.
What is {dede:field name='body' runphp='yes'}?
In simple terms, it's a DedeCMS template tag that allows you to execute PHP code directly within your article's content (body field) or other custom fields.
{dede:field name='body'}: This is the standard tag to display the full content of an article.runphp='yes': This attribute tells DedeCMS, "Don't just display this text. Treat it as a PHP script, execute it, and then display the result."
Basic Syntax and How It Works
The basic structure is:
{dede:field name='你的字段名' runphp='yes'}
// 你的PHP代码在这里
$GLOBALS['arg1'] = "value1"; // 可以定义全局变量
$reval = "处理后的结果"; // 最终输出的内容
@me = $reval; // 必须使用 @me = ... 来赋值最终输出
{/dede:field}
Key Points:
@meVariable: This is the most important concept. Inside therunphpblock,@meis a special variable that holds the original value of the field. For{dede:field name='body' runphp='yes'},@meinitially contains the full HTML and text of the article.- Assignment Operator: You must use
@me = ...to set the final output. Whatever you assign to@mewill be what the user sees on the page. If you don't assign anything to@me, nothing will be printed. - Global Variables: You can define global variables (e.g.,
$GLOBALS['myVar']) within the block and use them elsewhere on the page, though this is less common for simple field processing.
Practical Use Cases (Examples)
Here are some common and practical examples of what you can do with runphp='yes'.
Example 1: Extracting the First Image from an Article
This is a very popular use case. You want to display a thumbnail of the first image in the article content on the list page.
{dede:field name='body' runphp='yes'}
// 1. 获取原始内容
$content = @me;
// 2. 使用正则表达式匹配第一个img标签
preg_match('/<img.*?src="(.*?)".*?>/i', $content, $matches);
// 3. 检查是否找到图片
if (isset($matches[1])) {
// 如果找到,将 @me 设置为图片地址
@me = $matches[1];
} else {
// 如果没找到,设置一个默认图片
@me = '/images/default-thumbnail.jpg';
}
{/dede:field}
You can then use this in your list template like this:
<img src="[field name='body' runphp='yes']...[/field]" alt="{dede:field.title/}" />
Example 2: Stripping HTML to Get a Plain Text Summary
You want to display a short text-only summary of the article, stripping all HTML tags.
{dede:field name='body' runphp='yes'}
// 1. 获取原始内容
$content = @me;
// 2. 去除所有HTML标签
$text = strip_tags($content);
// 3. 截取前200个字符
$summary = mb_substr($text, 0, 200, 'utf-8');
// 4. 设置最终输出
@me = $summary;
{/dede:field}
Example 3: Modifying Content Based on Conditions
Let's say you want to add a special "New!" badge to articles published within the last 7 days.
{dede:field name='pubdate' runphp='yes'}
// 1. 获取发布时间戳
$pubdate = @me;
// 2. 获取当前时间戳
$now = time();
// 3. 计算时间差(7天 = 7 * 24 * 3600 秒)
$weekInSeconds = 7 * 24 * 3600;
// 4. 判断
if (($now - $pubdate) < $weekInSeconds) {
@me = "<span style='color:red;font-weight:bold;'>New!</span> ";
} else {
@me = ""; // 不是新文章,不输出任何东西
}
{/dede:field}
{dede:field.title/}
In this example, @me for the pubdate field is overwritten with the HTML for the "New!" badge if the condition is met.
Important Security Warning (The "Yes" Side of runphp='yes')
This is the most critical part you need to understand.
Using runphp='yes' is a potential security vulnerability.
Why? Because it allows template authors (or anyone with access to edit templates) to execute arbitrary PHP code. This can be exploited to:
- Execute Remote Code (RCE): A malicious user could upload a template containing PHP code that deletes files,窃取数据 (steals data), or takes over the server.
- Bypass Security: It can be used to circumvent other security measures in place.
How to Mitigate the Risk
- Trust Your Editors: Only allow
runphp='yes'to be used by trusted administrators and developers who understand the risks. Do not give template editing permissions to untrusted users. - Use Alternatives When Possible: For common tasks like getting the first image or a summary, it's often safer and better to use DedeCMS's built-in functions or custom PHP functions in
include/inc/inc_fun_funAdmin.phporextend.func.php. This keeps the PHP logic separate from the template layer.- Alternative for first image: You could write a function in
extend.func.php:function GetFirstImg($body){ preg_match_all("/<img.*?src=[\'|\"](.*?)[\'|\"].*?[\/]?>/i", $body, $matches); if(!empty($matches[1][0])){ return $matches[1][0]; } return '/images/default.jpg'; }Then in your template, you can call it more safely (though this still requires some PHP execution, it's more controlled):
{php echo GetFirstImg($arcRow['body']);}
- Alternative for first image: You could write a function in
- Restrict PHP Functions: If you are on a shared hosting environment or are very security-conscious, you can configure PHP to disable dangerous functions like
exec,shell_exec,system,eval, etc., usingdisable_functionsin yourphp.inifile. - Keep DedeCMS Updated: Always use the latest version of DedeCMS, as newer versions often have security patches.
Summary
| Feature | Description |
|---|---|
| What it is | A DedeCMS tag to execute PHP code within a template field. |
| How it works | The @me variable holds the original field value. You must assign your desired output to @me. |
| Power | Extremely powerful for custom data manipulation, extracting data, and conditional logic. |
| Risk | High. Can lead to Remote Code Execution if used by untrusted parties. |
| Best Practice | Use sparingly, only with trusted users, and prefer safer alternatives like custom functions in extend.func.php for common tasks. |
In conclusion, runphp='yes' is a "double-edged sword." It provides the flexibility to create highly dynamic and customized websites, but it also opens the door to serious security threats. Always use it with caution and a full understanding of the implications.
