HTML Templating class for PHP - Please try it /give feedback

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Post by Heavy »

ik wrote:why don't use just PHP instead? Why <!--LOOP - END LOOP--> is better then <?php while{} ?>?
Security man!
If you would like to offer user customized looks, you can't let them do PHP in the middle of it all.

EDIT: BTW, when you do like jasons example above, you are doing it in a pretty standards compatible way. <!-- SOMETHING --> does not disturb a nervous browser.
ik
Forum Commoner
Posts: 34
Joined: Thu Jul 10, 2003 5:33 am
Location: Lancs Uni, UK
Contact:

Post by ik »

Heavy wrote:
ik wrote:why don't use just PHP instead? Why <!--LOOP - END LOOP--> is better then <?php while{} ?>?
Security man!
If you would like to offer user customized looks, you can't let them do PHP in the middle of it all.

EDIT: BTW, when you do like jasons example above, you are doing it in a pretty standards compatible way. <!-- SOMETHING --> does not disturb a nervous browser.
<script language="php"> </script> doesn't disturb browser as well...

Do forgive me, but I don't understand what kind of security do you mean. Placeholder based template is secure, yes, disigners are allowed only to move blocks from place to place. But if you give them loop - they always will fi nd a way to make it infinite.... :D
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Post by Heavy »

jason wrote:

Code: Select all

<!-- LOOP ON family FOR EACH name -->
      <td>
         &#123;ifEmpty; name.first,No First Name&#125;
         &#123;!makeBold;name.last&#125;
      </td>
   <!-- END LOOP -->
The way I see it. We (php programmers) should be responsible to make use of such loops impossible to trash up. A "foreach" loop ends by itself when the array loops beyond its last element. How big an array is depends on the php-programmer.

All PHP there might be in a template should be stripped out of the template before the template gets to run anywhere.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

No. You can protect against infinite loops using a template engine. And an infinite while loop is hardly a 'security hazard'.

Security you ask? What kind of security does this force? Well, if you allow designers access to PHP, your in trouble. All it would take is a single designer slipping some code into his template that calls up a list of your clients information, maybe credit card information from a form he design, etc, a dozen things he could do without much work, and have it mailed to him, or do a bunch of other things.

Monte has a good write up on why templates are important and useful.

http://smarty.php.net/whyuse.php

As far as the <script> argument. That's all fine and dandy until you see stuff like this:

Code: Select all

<script language="php">if ( userIsLoggedIn() ) {</script>
Welcome <script language="php">echo $username;</script>!
<script language="php">} else {</script>
Your not logged in.
<script language="php">]</script>
Compare that with something from the templating world:

Code: Select all

&#123;!ifUserIsLoggedIn, Welcome &#123;name.first&#125;!, Your not logged in.&#125;
Now, your a designer. Which is easier to use?
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Post by Heavy »

jason wrote:No. You can protect against infinite loops using a template engine.
That must depend on how much you allow the template to automate. As long as loops are of foreach type and you don't have template functionality for changing how a loop advances, it shouldn't be possible to make the loop go on forever.

I think templates shouldn't have programming capabilites at all. I think of them as a way to separate code and design. If you allow too much control in the template, you achieve code in multiple levels, which is exactly the opposite of what I think template engines should provide. Conditional jumps and loops should be a matter of the php code, not the template text.

My opinion on loops in templates:
When I design a page and think loop, it think it is about how many rows or columns of a table you want to output to the browser. In such case there is really only one kind of loop we need to provide. In my not so finished template engine, I will only provide foreach functionality (prove me otherwise, and I will break that promise) for looping, since the (array's) count is known and set in the php code, not the template.
Then there shouldn't be any way to make templates loop forever by hacking the them.

Still... among you guys, I am a kid and might have forgotten something important.

Please, give me an example on how infinite loops is possible and caused by badly or maliciously designed templates.
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Post by Heavy »

I read that. :?
OK, I see the point why some logic could go in the template. But there is not much needed.
I see only two of them:

:arrow: if else statements
:arrow: even - odd alternating code (for table rows and such)

A block can be looped with foreach without the help of the designer.
ik
Forum Commoner
Posts: 34
Joined: Thu Jul 10, 2003 5:33 am
Location: Lancs Uni, UK
Contact:

Post by ik »

jason wrote:No. You can protect against infinite loops using a template engine. And an infinite while loop is hardly a 'security hazard'.

Security you ask? What kind of security does this force? Well, if you allow designers access to PHP, your in trouble. All it would take is a single designer slipping some code into his template that calls up a list of your clients information, maybe credit card information from a form he design, etc, a dozen things he could do without much work, and have it mailed to him, or do a bunch of other things.
Yes. And we return to the starting point - only passive template with placeholders can be absolutely (more or less) secure. But it isn' flexible enough. *Any* programme language give to programmer possibility to do some bad things. Why should I hope my template preprocessor will be more secure then PHP-preprocessor. If designer can include trojan code, why php-programmer can't?
As far as the <script> argument. That's all fine and dandy until you see stuff like this:

Code: Select all

<script language="php">if ( userIsLoggedIn() ) {</script>
Welcome <script language="php">echo $username;</script>!
<script language="php">} else {</script>
Your not logged in.
<script language="php">]</script>
Compare that with something from the templating world:

Code: Select all

&#123;!ifUserIsLoggedIn, Welcome &#123;name.first&#125;!, Your not logged in.&#125;
Now, your a designer. Which is easier to use?
Well... i'm not designer, for me it's the same. In short notation it will be the same for anybody.

I have no doubts your template is good. It's in real use - and it's the main argument in favour of any program. I just try to understand which is an optimal boundary of data contract between programmers and designers. And any time I see script languge in template I can't keep from question - "why not php". Say agreed subset of functions to keep security - and template engine can check it, which seems to be easier than interperete template script.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Yes. And we return to the starting point - only passive template with placeholders can be absolutely (more or less) secure. But it isn' flexible enough. *Any* programme language give to programmer possibility to do some bad things. Why should I hope my template preprocessor will be more secure then PHP-preprocessor. If designer can include trojan code, why php-programmer can't?
Your right, in that case you can't. But rather than have to worry about programmers and designers, you just worry about programmers.

Also, look at this beyond just people you control. In many cases, you may not have that control.

Let's look at another example. You want to sell your program. So you are going to encrypt it. Rather than let the person have access to any PHP, you simply make the site's template in a simple templating language. That way, people that don't know PHP can still install and use the program.
Well... i'm not designer, for me it's the same. In short notation it will be the same for anybody.
Actually, that's you avoiding the obvious answer. The second one is easier the easier one overall.
And any time I see script languge in template I can't keep from question - "why not php".
Because PHP is not designed for templating use. That may have been it's intent when it was first created, however, PHP now is NOT what is was then.

Simply put, PHP fails in a number of places as a templating language. First and foremost, in security, as well as ease of validation, and ease of design work. A good template engine is in fact better seperated from the core language. Hundreds of programs use this same basic method. You don't see various programs with skins having their skins rewritten in the same core language. Most of them rely on a subset of a scripting language that is designed to allow for easy creation of a skin.

I highly suggest you read http://smarty.php.net/whyuse.php

When you look at what most template engines do, they take a template, and compile it to PHP code. How is this bad? It's a basic principle of programming. You don't see us running around coding everything in binary. No, we creat high-level languages and compilers to do this for us.

Guess what, we could rewrite all our applications in C because guess what, they would run faster! Besides, it makes no sense, PHP is written on top of C. Why not C?

Because PHP is build for creating web applications. That's why. And guess what, we design a templating engine that's built on top of PHP for creating HTML templates. Why? Because these templates are built for that purpose. So just as writing a web app is easier in PHP than in C (and less time consuming), so is creating a template in a good templating language than using a non-templating language.
Judas
Forum Commoner
Posts: 67
Joined: Tue Jun 10, 2003 3:34 pm
Location: Netherlands

Post by Judas »

I use the same tag in my php-frame-work (<!--EDITABLE-REGIO-->). :D
And i am also creating a cm for that purpose.

My framework is directory orientated and knows groups and user's even restrictie's are implented in it.
It also knows a button system for quick onover's etc. The button's are rendert by PHP to gif or jpg.
bla bla bla .

I would like to share.

btw i am a designer & coder in 1
(i am designing about 9 years & coding 4 years)
ik
Forum Commoner
Posts: 34
Joined: Thu Jul 10, 2003 5:33 am
Location: Lancs Uni, UK
Contact:

Post by ik »

jason wrote:
Because PHP is not designed for templating use. That may have been it's intent when it was first created, however, PHP now is NOT what is was then.

Simply put, PHP fails in a number of places as a templating language. First and foremost, in security, as well as ease of validation, and ease of design work. A good template engine is in fact better seperated from the core language. Hundreds of programs use this same basic method. You don't see various programs with skins having their skins rewritten in the same core language. Most of them rely on a subset of a scripting language that is designed to allow for easy creation of a skin.

I highly suggest you read http://smarty.php.net/whyuse.php

When you look at what most template engines do, they take a template, and compile it to PHP code. How is this bad? It's a basic principle of programming. You don't see us running around coding everything in binary. No, we creat high-level languages and compilers to do this for us.

Guess what, we could rewrite all our applications in C because guess what, they would run faster! Besides, it makes no sense, PHP is written on top of C. Why not C?
Ok, that's correct and obvious. I don't hesitate templates are useful, I hesitate about what possibilities they should include.

Let's take short citation from article yuo have suggested:

Why use templates at all? What is so tough about writing <? echo $title; ?> instead of {$title}?

Making things easier to read wasn't a design goal, but more of a side effect. Using templates has huge benefits, many of which have been explained above. Since we are in a template environment anyways, {$title} is less extraneous than <?php echo $title; ?>, especially when you start looking at it in long pages of content, so it was pretty evident that a simpler syntax helps to make templates easier to read and maintain.
It's just my question. But I'm not perfectly satisfied by answer. My point is that <?php echo $tilte> and {$title} are perfectly the same and this can't be an issue for discussion. Because template preprocessor converting {$smth} to
<?php echo $smth> would contain from five to ten PHP commands. And designers can get any brackets they prefer to use withot changing PHP with other template language.

Well, let me suggest very easy template scheme. Content engine prepares an instance of output TInterface class with all and only the data accessible for designers:

Code: Select all

class TInterface &#123;
var $table;
var $session;
var $links;
.....

&#125;
This class represents the data contract between designers and programmers. And designers have access only to data and methods defined in this object. If they write {$session->title} (or say [$session.title] or <!$session.title!>) template preprocessor converts it to
<?php $Interface->session-title ?> (with direct use of PHP string search/replace functions - nothing more) and we easily avoid any risk of designer access to anything except Interface. If we give them in addition set ow drawing tools (PHP functions) for standard objects as navigation bars, lists and tables - they can avoid loops in the most of cases but still allowed to use them with Interface fields if they need in.

So you have enumerated the reasons to create template languge. But there are reasons to don't do it as well. First is... security. Any program contains bugs, our template preprocessor too. If it is simple and straightforward - we have much more chances to avoid bugs. The another issue is user logic/syntax mistakes in template code. If we use php - it is a business of PHP preprocessor to find errors and report to us. Otherwise we would have to write our own debugger. And anyway PHP already is embedded language...
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Post by Heavy »

ik wrote:My point is that <?php echo $tilte> and {$title} are perfectly the same
I don't think it is. PHP open doors, template tags doesn't. Besides... $title and $tilte ARE different. :lol:
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

This class represents the data contract between designers and programmers. And designers have access only to data and methods defined in this object. If they write {$session->title} (or say [$session.title] or <!$session.title!>) template preprocessor converts it to
<?php $Interface->session-title ?> (with direct use of PHP string search/replace functions - nothing more)
Hehe, you see, your talking about a template engine here. This is exactly what mine does. It's pretty much all str_replace convering it all to PHP.

However, the difference between your suggestion and my suggestion is that you are working backwards from PHP, while I am implementing a templating language and implementing it in PHP.

While one is more PHP'ish, the other is more template language-ish.

However, here's the crux. My template engine can easily do all you preseneted above without a hitch. The delemiters are all optional, even at run time. So let's say a certain template can't use the <!-- --> comments to designate block elements (because not all languages use them for comments). The designer wants to use, let say { and }. He can easily do this in that template (and that template alone) without having to bugger the programmer.
My point is that <?php echo $tilte> and {$title} are perfectly the same.
They are the same as much as Mozilla and IE are the same.
ik
Forum Commoner
Posts: 34
Joined: Thu Jul 10, 2003 5:33 am
Location: Lancs Uni, UK
Contact:

Post by ik »

jason wrote: Hehe, you see, your talking about a template engine here. This is exactly what mine does. It's pretty much all str_replace convering it all to PHP.

However, the difference between your suggestion and my suggestion is that you are working backwards from PHP, while I am implementing a templating language and implementing it in PHP.

While one is more PHP'ish, the other is more template language-ish.
Sure, all this thread is templates about 8O
Of course, all templates are about the same. The only (but significant) real difference is that when you use PHP-based template language, template engine is assembler (with one to one preprocessing basis), otherwise it should be full-featured interpreter. Assembler is simpler, isn't it?
Guess what, we could rewrite all our applications in C because guess what, they would run faster! Besides, it makes no sense, PHP is written on top of C. Why not C?
Btw, I bet that as PHP becomes more and mor popular, compilators should arrive soon. If they haven't arrived yet.
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Post by Heavy »

ik wrote:Btw, I bet that as PHP becomes more and mor popular, compilators should arrive soon. If they haven't arrived yet.
Very O/T, but YES I would love that!
kafka_loved_his_daddy
Forum Newbie
Posts: 3
Joined: Tue Jul 22, 2003 3:06 am
Location: austria

Re: HTML Templating class for PHP - Please try it /give feed

Post by kafka_loved_his_daddy »

hi. please have a look at PHP-Normal-forum. there i posted my problems with html-templating-classes. thanx.
Post Reply