claudiogc Posted September 3, 2014 Share Posted September 3, 2014 Hello, people! I was watching some php tutorials in youtube and, in a video, the guy was showing how put php script inside html code. I would like to know why in the following code he didn't use only one php script? 1- Code used in the video: <html> <body> <?php $color = $_GET['clr']; ?> <b><font color="<?php echo $color;?>">This is a test.</font></b> </body> </html> 2- Modified code by me to test with one script: <html> <body> <?php $color = $_GET['clr']; echo "<b><font color=\"$color\"> This is a test. </font></b>"; ?> </body> </html> Is his code more correct(with two scripts)? Why? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 3, 2014 Share Posted September 3, 2014 Both scripts are poor, but the second one is even worse than the first. First of all, you can't just dump a PHP value into your HTML markup, especially when that value comes from the user. This makes your application wide open to cross-site scripting attacks and leads to all kinds of bugs. Every value which isn't hard-coded must be escaped with htmlspecialchars(). Mixing PHP logic and HTML markup is generally poor style. It quickly turns your application into an unreadable, unmaintainable mess. One of the most important principles of modern programming is that separate aspects should in fact be separated: The PHP code is for the logic, the HTML markup is for the presentation. Both are only loosely coupled; for example, instead of generating an HTML document, you might as well create a PDF file or an Excel sheet or whatever. So what you should do is keep your PHP and your HTML separate: Put all the code on top of the script and move all the HTML to the bottom. When you're more experience, you should also consider using a template engine like Twig. Last but not least, you really need to start writing proper HTML. Maybe this was just a quick example, but invalid markup and ancient elements like font are just lame. A sanitized version of the code might look like this: <?php // The parameter may or may not be present; we need to actually check this. $color = null; if (isset($_GET['clr'])) { $color = $_GET['clr']; } ?> <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="utf-8"> <title>Test</title> </head> <body> <?php if ($color): ?> <p>The color you chose is: <?= htmlspecialchars($color, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?></p> <?php else: ?> <p>Please choose a color</p> <?php endif; ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 4, 2014 Share Posted September 4, 2014 Is his code more correct(with two scripts)? Why? Just to clarify, in both case you only have one script. As for your question, I don't think it matters too much whether you just surround PHP code with PHP tags...or if the entire script is enclosed in PHP tags. Personally, I find scripts that constantly jump in and out of PHP harder to follow. However, I have written quite a few scripts that do just that. I guess it all depends on the ratio of HTML to PHP code. In case you're interested, more information about PHP tags can be found here: http://php.net/manual/en/language.basic-syntax.phptags.php Quote Link to comment Share on other sites More sharing options...
Strider64 Posted September 4, 2014 Share Posted September 4, 2014 Both scripts are poor, but the second one is even worse than the first. First of all, you can't just dump a PHP value into your HTML markup, especially when that value comes from the user. This makes your application wide open to cross-site scripting attacks and leads to all kinds of bugs. Every value which isn't hard-coded must be escaped with htmlspecialchars(). Mixing PHP logic and HTML markup is generally poor style. It quickly turns your application into an unreadable, unmaintainable mess. One of the most important principles of modern programming is that separate aspects should in fact be separated: The PHP code is for the logic, the HTML markup is for the presentation. Both are only loosely coupled; for example, instead of generating an HTML document, you might as well create a PDF file or an Excel sheet or whatever. So what you should do is keep your PHP and your HTML separate: Put all the code on top of the script and move all the HTML to the bottom. When you're more experience, you should also consider using a template engine like Twig. Last but not least, you really need to start writing proper HTML. Maybe this was just a quick example, but invalid markup and ancient elements like font are just lame. A sanitized version of the code might look like this: <?php // The parameter may or may not be present; we need to actually check this. $color = null; if (isset($_GET['clr'])) { $color = $_GET['clr']; } ?> <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="utf-8"> <title>Test</title> </head> <body> <?php if ($color): ?> <p>The color you chose is: <?= htmlspecialchars($color, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?></p> <?php else: ?> <p>Please choose a color</p> <?php endif; ?> </body> </html> I personally don't like mixing PHP and html code for it makes it confusing it confusing for me . I personally would do the following instead: <?php // The parameter may or may not be present; we need to actually check this. $color = null; if (isset($_GET['clr'])) { $color = htmlspecialchars($_GET['clr'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); } ?> <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="utf-8"> <title>Test</title> </head> <body> <?php if ($color) { echo "<p>The color you chose is " . $color . ". </p>\n"; } else { echo "<p>Please choose a color</p>\n"; } ?> </body> </html> That way you can see what is going on in PHP even though it has html in it. I know I have gotten into some heated debates in other forums over this and at one time I thought the other way. However, the main thing is that the php is secure no matter what way you do it. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 4, 2014 Share Posted September 4, 2014 The thing is that you should only have short, simple control structures within your HTML markup (like loops and if statements). You're doing the exact opposite: You have a big block of PHP code, and then you embed HTML snippets as needed. Of course that's possible. But it goes against the underlying principle, and it's very tempting to put all kinds of application logic into that PHP block. The PHP syntax noise (echo, quotes, semicolons) also makes the HTML markup somewhat difficult to read. But the real problem is that PHP simply is a lousy template engine: The syntax is verbose and fugly, there's no separation of logic and layout, there's no built-in scoping, and there are no modern features like template inheritance. With regard to templating, PHP is basically stuck somewhere in the 90s. Sure, it's good enough for small scripts and demonstrational purposes. But for anything more complex we really should be using a proper template engine like Twig or Smarty. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.