enveetee Posted January 23, 2015 Share Posted January 23, 2015 Hi I have a self calling script which does the following: Stage 1: First run, it detects that $_POST is empty, and so displays a chunk of html which prompts for a password. Stage 2: When resubmitted, it detects $_POST and displays another chunk of html which prompts the user for some values Stage 3; When resubmitted the second time, $_POST is detected, along with the user values and some php is executed and a menu displayed. So, question is this, what is the best method to output the html at stage 1 and stage 2? I have tried using echo statements and wrapping each chunk in a function = messy. I have tried using HEREDOCS (<<<VARNAME), better but ties my HTML to my script which is a pain I am thinking to use file_get_contents("../html/chunk1.htm") this seems quite elegant and allows me to get someone else on our team to design the HTML keeping it out of my script Thoughts and suggestions? Thanks as ever p.s. who pays for this site, are donation accepted? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted January 23, 2015 Share Posted January 23, 2015 I am thinking to use file_get_contents("../html/chunk1.htm") this seems quite elegant and allows me to get someone else on our team to design the HTML keeping it out of my script Thats the approach I would use. Your HTML output should be separate from your business logic (the code that processes the request). However instead of file_get_contents I would use include so then I could still use PHP variables within the template file. Quote Link to comment Share on other sites More sharing options...
scootstah Posted January 23, 2015 Share Posted January 23, 2015 There are some templating libraries that you could look in to. That is a surefire way to separate business and view logic. Remember to make sure that you run variables through htmlspecialchars before displaying them. Quote Link to comment Share on other sites More sharing options...
Frank_b Posted January 23, 2015 Share Posted January 23, 2015 Most simple is an include() Or use Twig or Blade template engines. Quote Link to comment Share on other sites More sharing options...
enveetee Posted January 23, 2015 Author Share Posted January 23, 2015 Cheers everyone, came across the include after my post. Thanks 1 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 24, 2015 Share Posted January 24, 2015 This is not what include is for. The include statement executes a PHP script. Since you want plain HTML, there's absolutely no reason for evaluating it as PHP code. In fact, this has serious consequences: Anything that looks like PHP tags will be executed, even if the HTML designer just meant to write down literal text. For example, the term “<?=” or even just “<?” immediately triggers the PHP parser. The included files may be used to purposely inject malicious code. I'm not saying that your designers would do that, but an attacker who has gained access to the templates is also able to execute arbitrary PHP code. HTML designers should write HTML markup, not PHP code. So either use readfile() to print the file content as plaintext. Or give your designers a proper template engine like Twig which allows them to use additional features in a controlled manner. 1 Quote Link to comment Share on other sites More sharing options...
enveetee Posted January 27, 2015 Author Share Posted January 27, 2015 Thank you jacques1 - as informative as ever Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.