如何在没有评估的情况下输出此动态数据? [英] How can I output this dynamic data without eval?
问题描述
我一直在以MVC风格编写CMS,并使用Template类通过file_get_contents提取所需的各种文件
I've been writing a CMS in MVC style and have used a Template class to pull in the various files required via file_get_contents
最后我要做
eval('?>'.($template).'<?');
知道eval是邪恶的,我该如何替代刷新该数据,以便PHP实际呈现代码?
Knowing that eval is evil, how can I alternatively flush this data so the PHP actually renders the code?
目前,一旦所有内容加载完毕,Template类便会执行此操作.模板类是否有可能将此代码作为变量返回到我的index.php,然后运行某些东西使其执行?
At the moment the Template class does this once everything's been loaded. Is it possible for the Template class to return this code to my index.php as a variable and then run something to make it execute?
我遇到的每个编码MVC样式网站的示例都使用eval来解决问题.
Every example of coding an MVC style site I've come across uses eval to solve the problem.
另一个相关问题-我知道eval可用于运行用户输入的恶意代码,但是其他功能不会遭受同样的命运吗?如果我将任何用户内容转换为html实体,这是否可以克服?
An additional related question - I understand eval can be used to run malicious user-inputted code, but wouldn't some other function suffer the same fate? If I turn any user content into html entities, wouldn't this overcome this?
我的方法很可能是有缺陷的,但是它遵循了我一直在阅读的示例,这就是为什么我渴望看到另一种可以避免评估的方法.
Quite possibly my method is flawed, but it follows the examples I've been reading, which is why I'm keen to see another method that avoids eval.
我确实找到了实现相同功能的代码段:
I did just find this snippet which achieves the same thing:
function interpolate( $string ){
foreach ($GLOBALS as $name => $value){
$string = str_replace( '$'.$name, $value, $string );
}
$string = preg_replace( '/[$]\\w+/', '', $string );
return $string;
}
通过用正确的内容替换变量,这有效地呈现了所有代码.
This effectively renders all the code by replacing the variables with their correct content.
推荐答案
在我的模板中,我使用输出缓冲来捕获包含的脚本.包含的代码与任何其他包含的文件一样运行.伪:开始缓冲区,包括文件,捕获缓冲区,擦除缓冲区.这是一个简短的示例:
in my templates I use output buffering to capture a script that is included. the included code is run just like any other included file. pseudo: start buffer, include file, capture buffer, erase buffer. here is a short example:
//just the name of a template file to include.
$template = "someFile.tpl";
//start output buffering
ob_start();
//include the file. It has full access to all vars and runs
//code just like any other included script.
include($template);
//get anything output by the buffer during the include
$template_output = ob_get_contents();
//clean out the buffer because we already got the contents.
ob_end_clean();
运行之后,$template_output
将在其中运行任何代码后由包含的文件输出任何内容.这允许我在处理视图"时使用循环和var等.
After that runs, $template_output
would have anything output by the included file after it has run any code inside. This allows me to use loops and vars and such when processing a 'view'.
不过请注意,这是在我的个人网站上使用的,我是唯一更改模板文件的人.我不允许其他人编辑模板文件,因为这太愚蠢了.
Please note though, this is used on my personal site where I am the only one making changes to the template files. I do not allow anyone else to edit the template files as that would be ridiculously dumb.
这篇关于如何在没有评估的情况下输出此动态数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!