Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best way to insert HTML via PHP?

Talking from a 'best practice' point of view, what do you think is the best way to insert HTML using PHP. For the moment I use one of the following methods (mostly the latter), but I'm curious to know which you think is best.

<?php   if($a){ ?> [SOME MARKUP] <?php   }   else{ ?> [SOME OTHER MARKUP] <?php   } ?> 

Opposed to:

<?php   unset($out);   if($a) $out = '[SOME MARKUP]';   else $out = '[OTHER MARKUP]';   print $out; ?> 
like image 201
Brayn Avatar asked Nov 04 '08 09:11

Brayn


People also ask

Can you insert HTML in PHP?

As you can see, you can use any HTML you want without doing anything special or extra in your PHP file, as long as it's outside and separate from the PHP tags. In other words, if you want to insert PHP code into an HTML file, just write the PHP anywhere you want (so long as they're inside the PHP tags).

How do I code HTML in PHP?

Step 1: Firstly, we have to type the Html code in any text editor or open the existing Html file in the text editor in which we want to use the PHP. Step 2: Now, we have to place the cursor in any tag of the <body> tag where we want to add the code of PHP. And, then we have to type the start and end tag of PHP.

Which tag is used for inserting PHP code in HTML?

We can use PHP in HTML code by simply adding a PHP tag without doing any extra work. Example 1: First open the file in any editor and then write HTML code according to requirement. If we have to add PHP code then we can add by simply adding <?


1 Answers

If you are going to do things that way, you want to separate your logic and design, true.

But you don't need to use Smarty to do this.

Priority is about mindset. I have seen people do shocking things in Smarty, and it eventually turns into people developing sites in Smarty, and then some bright spark will decide they need to write a template engine in Smarty (Never underestimate the potential of a dumb idea).

If you break your code into two parts and force yourself to adhere to a standard, then you'll get much better performance.

PageLogic.php

<?php     $pageData = (object)(array());  // Handy trick I learnt.     /* Logic Goes here */    $pageData->foo = SomeValue;    ob_start();   require("layout.php");   ob_end_flush(); 

Layout.php

 <html>    <!-- etc -->    <?php for ( $i = 1; $i < 10; $i++ ){ ?>     <?php echo $pageData->foo[$i]; ?>    <?php } ?>    <!-- etc --> </html> 

PHP Was written as a templating engine, so you at least should try to use it for its designed task before assessing whether or not you need to delve into Smarty.


Moreover, if you decide to use a templating engine, try get one that escapes HTML by default and you "opt out" instead of "opt in." You'll save yourself a lot of XSS headaches. Smarty is weak in this respect, and because of this, there are a lot of content-naïve templates written in it.

{if $cond}     {$dangerous_value} {else}     {$equally_dangerous_value} {/if} 

Is generally how Smarty templates go. The problem is $dangerous_value can be arbitrary HTML and this just leads to even more bad coding practices with untraceable spaghetti code everywhere.

Any template language you consider should cater to this concern. e.g.:

{$code_gets_escaped}  {{$code_gets_escaped_as_a_uri}} {{{$dangerous_bare_code}}} 

This way, your potential doorways for exploitation are easily discernible in the template, as opposed to the doorway to exploitation being the DEFAULT behaviour.

like image 113
Kent Fredric Avatar answered Sep 28 '22 06:09

Kent Fredric