Jump to content

Question about php inside html code.


claudiogc

Recommended Posts

Hello, people!

 

I was watching some php tutorials in youtube and, in a video, the guy was showing how put php script inside html code. I would like to know why in the following code he didn't use only one php script?

1- Code used in the video:

 

<html>
<body>

<?php
$color = $_GET['clr'];
?>

<b><font color="<?php echo $color;?>">This is a test.</font></b>

</body>
</html>

 

2- Modified code by me to test with one script:

 

<html>
<body>

<?php
$color = $_GET['clr'];

echo "<b><font color=\"$color\"> This is a test. </font></b>";

?>

</body>
</html>

 

Is his code more correct(with two scripts)? Why?

Link to comment
Share on other sites

Both scripts are poor, but the second one is even worse than the first.

 

First of all, you can't just dump a PHP value into your HTML markup, especially when that value comes from the user. This makes your application wide open to cross-site scripting attacks and leads to all kinds of bugs. Every value which isn't hard-coded must be escaped with htmlspecialchars().

 

Mixing PHP logic and HTML markup is generally poor style. It quickly turns your application into an unreadable, unmaintainable mess. One of the most important principles of modern programming is that separate aspects should in fact be separated: The PHP code is for the logic, the HTML markup is for the presentation. Both are only loosely coupled; for example, instead of generating an HTML document, you might as well create a PDF file or an Excel sheet or whatever.

 

So what you should do is keep your PHP and your HTML separate: Put all the code on top of the script and move all the HTML to the bottom. When you're more experience, you should also consider using a template engine like Twig.

 

Last but not least, you really need to start writing proper HTML. Maybe this was just a quick example, but invalid markup and ancient elements like font are just lame.

 

A sanitized version of the code might look like this:

<?php

// The parameter may or may not be present; we need to actually check this.
$color = null;
if (isset($_GET['clr']))
{
    $color = $_GET['clr'];
}

?>
<!DOCTYPE HTML>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Test</title>
    </head>
    <body>
        <?php if ($color): ?>
            <p>The color you chose is: <?= htmlspecialchars($color, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?></p>
        <?php else: ?>
            <p>Please choose a color</p>
        <?php endif; ?>
    </body>
</html>
Link to comment
Share on other sites

Is his code more correct(with two scripts)? Why?

 

Just to clarify, in both case you only have one script.

 

As for your question, I don't think it matters too much whether you just surround PHP code with PHP tags...or if the entire script is enclosed in PHP tags. Personally, I find scripts that constantly jump in and out of PHP harder to follow. However, I have written quite a few scripts that do just that. I guess it all depends on the ratio of HTML to PHP code.  :unsure:

 

In case you're interested, more information about PHP tags can be found here:

http://php.net/manual/en/language.basic-syntax.phptags.php

Link to comment
Share on other sites

 

Both scripts are poor, but the second one is even worse than the first.

 

First of all, you can't just dump a PHP value into your HTML markup, especially when that value comes from the user. This makes your application wide open to cross-site scripting attacks and leads to all kinds of bugs. Every value which isn't hard-coded must be escaped with htmlspecialchars().

 

Mixing PHP logic and HTML markup is generally poor style. It quickly turns your application into an unreadable, unmaintainable mess. One of the most important principles of modern programming is that separate aspects should in fact be separated: The PHP code is for the logic, the HTML markup is for the presentation. Both are only loosely coupled; for example, instead of generating an HTML document, you might as well create a PDF file or an Excel sheet or whatever.

 

So what you should do is keep your PHP and your HTML separate: Put all the code on top of the script and move all the HTML to the bottom. When you're more experience, you should also consider using a template engine like Twig.

 

Last but not least, you really need to start writing proper HTML. Maybe this was just a quick example, but invalid markup and ancient elements like font are just lame.

 

A sanitized version of the code might look like this:

<?php

// The parameter may or may not be present; we need to actually check this.
$color = null;
if (isset($_GET['clr']))
{
    $color = $_GET['clr'];
}

?>
<!DOCTYPE HTML>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Test</title>
    </head>
    <body>
        <?php if ($color): ?>
            <p>The color you chose is: <?= htmlspecialchars($color, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?></p>
        <?php else: ?>
            <p>Please choose a color</p>
        <?php endif; ?>
    </body>
</html>

I personally don't like mixing PHP and html code for it makes it confusing it confusing for me :confused: . I personally would do the following instead:

<?php

// The parameter may or may not be present; we need to actually check this.
$color = null;
if (isset($_GET['clr']))
{
    $color = htmlspecialchars($_GET['clr'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}

?>
<!DOCTYPE HTML>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Test</title>
    </head>
    <body>
        <?php 
        if ($color) {
            echo "<p>The color you chose is " . $color . ". </p>\n";
        } else {
            echo "<p>Please choose a color</p>\n";
        }
        ?>
    </body>
</html>

That way you can see what is going on in PHP even though it has html in it. I know I have gotten into some heated debates in other forums over this and at one time I thought the other way. However, the main thing is that the php is secure no matter what way you do it.

Link to comment
Share on other sites

The thing is that you should only have short, simple control structures within your HTML markup (like loops and if statements). You're doing the exact opposite: You have a big block of PHP code, and then you embed HTML snippets as needed.

 

Of course that's possible. But it goes against the underlying principle, and it's very tempting to put all kinds of application logic into that PHP block. The PHP syntax noise (echo, quotes, semicolons) also makes the HTML markup somewhat difficult to read.

 

But the real problem is that PHP simply is a lousy template engine: The syntax is verbose and fugly, there's no separation of logic and layout, there's no built-in scoping, and there are no modern features like template inheritance. With regard to templating, PHP is basically stuck somewhere in the 90s.

 

Sure, it's good enough for small scripts and demonstrational purposes. But for anything more complex we really should be using a proper template engine like Twig or Smarty.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.