php mixing with html

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

php mixing with html

Post by nincha »

i notice that the recommended php.ini disable mixing html into php, for instance

Code: Select all

<?php if(){ ?> <html code> <? } else{ ?><html code> <? } ?>
what is the risk for doing this???
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

makes it harder to change the user interface later... other than that... I don't think there's any problem

actually, I should mention that most good apps mix html and php, it's just to what extent is good practice
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: php mixing with html

Post by Christopher »

nincha wrote: what is the risk for doing this???
There is no specific security risk other than it makes it harder to see what your code is doing so perhaps a greater potential to miss problems.
(#10850)
AlexC
Forum Commoner
Posts: 83
Joined: Mon May 22, 2006 10:03 am

Post by AlexC »

I never mix HTML with PHP, for the reason The Ninja Space Goat said, it makes it harder to change the UI later. The way I do it is use a tag replacement system / template system ( Similar to Smarty, but one I wrote my self ).
User avatar
Uranium-235
Forum Newbie
Posts: 13
Joined: Tue Aug 08, 2006 3:57 pm

Post by Uranium-235 »

yeah, it's fine for small things, but on large scales, it just makes everything look messy

especially when it comes to forms, you might find yourself dreading large forms most when it comes to inserting HTML into your code. This is why I made a template-based form class, it makes things nicer, especially if you choose to authenticate all fields on server-side, reload all fields, and display errors. Maybe one day I'll release it

I'm sure smarty can be used for something like this, as well as other template systems.
User avatar
pedrotuga
Forum Contributor
Posts: 249
Joined: Tue Dec 13, 2005 11:08 pm

Post by pedrotuga »

well.. that is actualy the only way of doing dynaminc pages: generating html acording on the data and on the programming logic.

using a template sistem simply organizes things beter.... but still, the html comde has to be written somwere. no miricales.

of course its very powerfull and everything to ue a template system... but does it really worth it when developing a 1-copy aplication?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

There are good ways and bad ways of mixing PHP and HTML, whether it be through a template parser or throught native templating in PHP output. The key is mixing the two in a way that three years from now when the boss finally approves a rewrite of the presentation that the developer who is in charge of that project has some clue as to what is going on.

Code: Select all

<?php if(){ ?> <html code> <? } else{ ?><html code> <? } ?>
Could be better off as

Code: Select all

<?php if(): while()?>
<html code>
<?php endwhile; else: ?>
<html code> 
<?php endif; ?>
I added a little bit to the piece for posterity.
Post Reply