Basically, I'm rewriting a game with the ability for every player to create their own style for the game via a customized templating engine. What is the best way to prevent the user from accessing stuff they don't need to display?
  1. Use old style key words like {username} and str_replace them as each template is called?
  2. Restrict variables used by forcing them to use $g[username] (either by preg_matching and stopping, or by preg_replacing $anything with $g[anything])


I think A would probably be simplest for the user, but would tend to eat up a lot of CPU horsepower, considering the site has over 10,000 users. I can only see preg_replace (to change $username to $g[username] and back) as a way to make B a user-friendly option, but it's difficult to foresee problems. I don't know how well I'll be able to find beta testers that are that advanced in PHP to be able to try and find exploits with that kind of method.

Any thoughts? Should I just scrap the whole concept of allowing users to create their own styles?

BTW, I already escape quotes in templates, so either way, noone could pull off a ' . mysql_query('DELETE * FROM users') . ' trick... it's just a matter of containing their variable access.

Also, what's a good way to write a template condition thing along the same lines? Just need to prevent them from accessing variables they don't need, and prevent them from setting any variables...