什么是通过PHP插入HTML的最佳方式? [英] What is the best way to insert HTML via PHP?
问题描述
<?php
if($ a){
?>
[某些标记]
<?php
}
其他{
?>
[某些其他标记]
<?php
}
?>
反对:
<?php
unset($ out);
if($ a)$ out ='[某些标记]';
else $ out ='[OTHER MARKUP]';
打印$ out;
?>
如果您要这样做,想分开你的逻辑和设计,真实。
但是你不需要使用Smarty来做到这一点。
优先考虑的是心态。我看到人们在Smarty中做了令人震惊的事情,最终它变成了人们在Smarty中开发网站,然后一些明亮的火花将决定他们需要在Smarty中编写模板引擎(永远不要低估潜力一个愚蠢的想法)。
如果您将代码分为两部分并强制自己遵守标准,那么您将获得更好的性能。
PageLogic.php
<?php
$ pageData =(object)(array()); //我学到的方便技巧。
/ *逻辑转到这里* /
$ pageData-> foo = SomeValue;
ob_start();
require(layout.php);
ob_end_flush();
Layout.php
< html>
<! - etc - >
<?php for($ i = 1; $ i <10; $ i ++){?>
<?php echo $ pageData-> foo [$ i]; ?>
<?php}?>
<! - etc - >
< / html>
PHP写成模板引擎,所以至少应该 在评估您是否需要深入研究Smarty之前,将其用于设计任务。
此外,如果您决定使用模板引擎,请尝试使用默认,而你选择退出而不是加入。你会为自己节省很多XSS头痛。 Smarty在这方面很薄弱,正因为如此,它里面有很多内容简单的模板。
{如果$ cond}
{$ dangerous_value}
{else}
{$ equality_dangerous_value}
{/ if}
Smarty模板通常如何运作。问题是$ dangerous_value可以是任意的HTML,这只会导致甚至更多使用无法追踪的意大利面条代码的错误编码做法。
任何模板语言你认为应该迎合这种担忧。例如:
{$ code_gets_escaped}
{{$ code_gets_escaped_as_a_uri}}
{{{dangerous_bare_code} }}
通过这种方式,模板中很容易识别您的潜在开发入口,而不是被剥削的门户是 DEFAULT 行为。
Talking from a 'best practice' point of view, what do you think is the best way to insert HTML using PHP. For the moment I use one of the following methods (mostly the latter), but I'm curious to know which you think is best.
<?php
if($a){
?>
[SOME MARKUP]
<?php
}
else{
?>
[SOME OTHER MARKUP]
<?php
}
?>
Opposed to:
<?php
unset($out);
if($a) $out = '[SOME MARKUP]';
else $out = '[OTHER MARKUP]';
print $out;
?>
If you are going to do things that way, you want to separate your logic and design, true.
But you don't need to use Smarty to do this.
Priority is about mindset. I have seen people do shocking things in Smarty, and it eventually turns into people developing sites in Smarty, and then some bright spark will decide they need to write a template engine in Smarty (Never underestimate the potential of a dumb idea).
If you break your code into two parts and force yourself to adhere to a standard, then you'll get much better performance.
PageLogic.php
<?php
$pageData = (object)(array()); // Handy trick I learnt.
/* Logic Goes here */
$pageData->foo = SomeValue;
ob_start();
require("layout.php");
ob_end_flush();
Layout.php
<html>
<!-- etc -->
<?php for ( $i = 1; $i < 10; $i++ ){ ?>
<?php echo $pageData->foo[$i]; ?>
<?php } ?>
<!-- etc -->
</html>
PHP Was written as a templating engine, so you at least should try to use it for its designed task before assessing whether or not you need to delve into Smarty.
Moreover, if you decide to use a templating engine, try get one that escapes HTML by default and you "opt out" instead of "opt in." You'll save yourself a lot of XSS headaches. Smarty is weak in this respect, and because of this, there are a lot of content-naïve templates written in it.
{if $cond}
{$dangerous_value}
{else}
{$equally_dangerous_value}
{/if}
Is generally how Smarty templates go. The problem is $dangerous_value can be arbitrary HTML and this just leads to even more bad coding practices with untraceable spaghetti code everywhere.
Any template language you consider should cater to this concern. e.g.:
{$code_gets_escaped}
{{$code_gets_escaped_as_a_uri}}
{{{$dangerous_bare_code}}}
This way, your potential doorways for exploitation are easily discernible in the template, as opposed to the doorway to exploitation being the DEFAULT behaviour.
这篇关于什么是通过PHP插入HTML的最佳方式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
