Best practice for outputting HTML from within PHP

[enveetee]

Hi

 

I have a self calling script which does the following:

 

Stage 1: First run, it detects that $_POST is empty, and so displays a chunk of html which prompts for a password.

Stage 2: When resubmitted, it detects $_POST and displays another chunk of html which prompts the user for some values

Stage 3; When resubmitted the second time, $_POST is detected, along with the user values and some php is executed and a menu displayed.

 

So, question is this, what is the best method to output the html at stage 1 and stage 2?

I have tried using echo statements and wrapping each chunk in a function = messy. 

I have tried using HEREDOCS (<<<VARNAME), better but ties my HTML to my script which is a pain

I am thinking to use file_get_contents("../html/chunk1.htm") this seems quite elegant and allows me to get someone else on our team to design the HTML keeping it out of my script

 

Thoughts and suggestions?

 

Thanks as ever

 

p.s. who pays for this site, are donation accepted?

[Ch0cu3r]

 

I am thinking to use file_get_contents("../html/chunk1.htm") this seems quite elegant and allows me to get someone else on our team to design the HTML keeping it out of my script

Thats the approach I would use. Your HTML output should be separate from your business logic (the code that processes the request). However instead of file_get_contents I would use include so then I could still use PHP variables within the template file.

[scootstah]

There are some templating libraries that you could look in to. That is a surefire way to separate business and view logic.

 

Remember to make sure that you run variables through htmlspecialchars before displaying them.

[Frank_b]

Most simple is an include()

 

Or use Twig or Blade template engines.

[enveetee]

Cheers everyone, came across the include after my post.

 

Thanks

[Jacques1]

This is not what include is for.

 

The include statement executes a PHP script. Since you want plain HTML, there's absolutely no reason for evaluating it as PHP code. In fact, this has serious consequences:

• Anything that looks like PHP tags will be executed, even if the HTML designer just meant to write down literal text. For example, the term “<?=” or even just “<?” immediately triggers the PHP parser.
• The included files may be used to purposely inject malicious code. I'm not saying that your designers would do that, but an attacker who has gained access to the templates is also able to execute arbitrary PHP code.

HTML designers should write HTML markup, not PHP code. So either use readfile() to print the file content as plaintext. Or give your designers a proper template engine like Twig which allows them to use additional features in a controlled manner.

[enveetee]

Thank you jacques1 - as informative as ever