Security wise; I would never set paths from the environment because it opens an entire other box of security problems. You will have to doublecheck your code which parameters to accept/deny even more than before because your path will be chosen automatically by your program which can give quite strange results if the parameters given by the end-user are malicious ...

You could alternatively pre-define a few paths in an array or if you are -really- sure your paths won't be exploited in one or another way (to parse files which should not parsed like /etc/passwd etc..); by setting only the paths that are deemed neccesary for your program to run.

Still I think you better do this with a very small piece of (init) code instead of doing this automatically because then you know for sure which you have control over; while if-automatically you will loose that fine grain of control if you forget that one check.

Another way is chroot or a "sandbox"; where you check first if the path is part of the "sandbox" and if so; get the template, if not; deny. Like /home/users/templates/wildchild and /home/users/templates/midlifexs could have as root /home/users/templates ; this would limit any security hell to that one path /home/users/templates and not /home/users/* or others (if coded appropriate) ...