I was looking at templating systems for php, and I've come to believe that pure php code seems to be the solution I want to use.
I'm the lone developer, so there's no designers who need a nerfed arena to work in. Template engines like smarty seem to suffer from the "Inner-platform effect". If I stick with good practices ( pre-computed values, use only foreach ), I think this will work.
My goal is to have a single source for the string of the html shared by each page. My thought is that a separate php file, accessed via include, is a good way to meet this goal.
However, I'm concerned that that might pose a security hazard for the site -- I can't think of anything specific at the moment, but someone could guess the name of the template and request it directly, perhaps exposing something they needn't see. (I suppose I could put in a check to see if it itself is the request.) I have a hunch this could be bad, so I don't want to go ahead and do it, create what I feared would happen, and then throw that work away.
If a separate file is not the best idea, what else should I use to basically store a string for the whole site? A string constant in an include, that I could use in sprintf()? A function that returns the html string from arguments of the page-specific html parts?
Files that should not be served via HTTP should be stored in a directory from which your webserver will not allow anything (not PHP, at least) to be served to the users.
Two possibilities :
DocumentRoot
Such "not served" files generally include stuff like :
The first solution : your directories could look like this :
data/
i18n/
i18n/your-file-here.php
library/
www/
<- this is Apache's DocumentRoot
index.php
another-php-file.php
And for the second solution, just disable access to the directory containing your "data" or "libraries" files, putting in it a .htaccess
(If your webserver is Apache) file containing something like
Deny From All
With that, Apache will not allow anyone to directly access via HTTP the files in that directory, but your executable PHP script (in another directory) will still be able to include them.
Simple, really; Name the file whatever you want, but use ".inc.php" as the extension, then include this line at the top of the file:
if (basename(__FILE__) == basename($_SERVER['SCRIPT_FILENAME'])) {
die;
}
this will kill the script if the file is accessed directly.
EDIT: Pascal Martin's solution is probably more in keeping with BCP, whereas mine is more quick-and-dirty. I've used both, and either seems to be fine.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With