Jump to content

Some suggestions needed

colap

By colap
in PHP Coding Help

 Share

Recommended Posts

ginerjm Prolific Member

ginerjm

Posted
Posted

My opinion is to keep from switching in and out of php mode entirely.  If you have multiple lines of this kind of code, explore the usage of the heredoc feature in the manual.  Much easier to read when you have a lot of this sort of coding going on.

Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

To be honest, both examples are cumbersome and ugly. And that's not even usable code, because you've forgotten the HTML-escaping. The real code would look something like this:

<div><?= htmlspecialchars($some_value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); ?></div>

And that's just one variable in one HTML element. When you're dealing with more complex output, you'll quickly end up with this terrible Wordpress-style spaghetti code.

 

Personally, I very much prefer using a proper template engine like Twig or Smarty:

<div>{{ some_value }}</div>

This is clearly much more readable. And since Twig automatically escapes the output, you won't run into cross-site scripting vulnerabilities all the time.

Edited by Jacques1
  • Like 1
Strider64 Advanced Member

Strider64

Posted
Posted

If you don't use a template engine you can always use a function in you configuration file that you use to make it a little less cumbersome, for example

function html_escape($raw_input) {
    // important! don't forget to specify ENT_QUOTES and the correct encoding
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
}

then call it like 

<p class="blogParagraph"><?php echo nl2br(html_escape($row->content)); ?></p>

I believe I got this small script from a tutorial I got from a different forum written by Jacques! awhile back.  :tease-03:  :happy-04:

maxxd Prolific Member

maxxd

Posted
Posted

Personally, I very much prefer using a proper template engine like Twig or Smarty:

<div>{{ some_value }}</div>

This is clearly much more readable. And since Twig automatically escapes the output, you won't run into cross-site scripting vulnerabilities all the time.

 

Does Twig automatically escape output now? I know you can set a template to auto-escape blocks of output, but you have to specifically set it to do so. Otherwise you escape on the value, such as

<div>{{ some_value|e }}</div>
<div>{{ some_value|escape('html') }}</div>

unless that changed...

 

Either way, Twig is fantastic and very much recommended.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.