colap Posted December 24, 2015 Share Posted December 24, 2015 <?php echo '<div>' . $a . '</div>';?> <div><?php echo $a;?></div> Which one is better? Someone said the bottom one is better. Please explain. Quote Link to comment Share on other sites More sharing options...
requinix Posted December 24, 2015 Share Posted December 24, 2015 Top one doesn't have you jumping in and out of PHP mode. Bottom one keeps the HTML separate from the code. What do you think is better? Quote Link to comment Share on other sites More sharing options...
gsmit1996 Posted December 24, 2015 Share Posted December 24, 2015 My opinion is that short-tags are the way to go: <div><?= $a ?></div> It's like the bottom, only shorter. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted December 24, 2015 Share Posted December 24, 2015 My opinion is to keep from switching in and out of php mode entirely. If you have multiple lines of this kind of code, explore the usage of the heredoc feature in the manual. Much easier to read when you have a lot of this sort of coding going on. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 24, 2015 Share Posted December 24, 2015 (edited) To be honest, both examples are cumbersome and ugly. And that's not even usable code, because you've forgotten the HTML-escaping. The real code would look something like this: <div><?= htmlspecialchars($some_value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); ?></div> And that's just one variable in one HTML element. When you're dealing with more complex output, you'll quickly end up with this terrible Wordpress-style spaghetti code. Personally, I very much prefer using a proper template engine like Twig or Smarty: <div>{{ some_value }}</div> This is clearly much more readable. And since Twig automatically escapes the output, you won't run into cross-site scripting vulnerabilities all the time. Edited December 24, 2015 by Jacques1 1 Quote Link to comment Share on other sites More sharing options...
Strider64 Posted December 24, 2015 Share Posted December 24, 2015 If you don't use a template engine you can always use a function in you configuration file that you use to make it a little less cumbersome, for example function html_escape($raw_input) { // important! don't forget to specify ENT_QUOTES and the correct encoding return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); } then call it like <p class="blogParagraph"><?php echo nl2br(html_escape($row->content)); ?></p> I believe I got this small script from a tutorial I got from a different forum written by Jacques! awhile back. Quote Link to comment Share on other sites More sharing options...
maxxd Posted December 24, 2015 Share Posted December 24, 2015 Personally, I very much prefer using a proper template engine like Twig or Smarty: <div>{{ some_value }}</div> This is clearly much more readable. And since Twig automatically escapes the output, you won't run into cross-site scripting vulnerabilities all the time. Does Twig automatically escape output now? I know you can set a template to auto-escape blocks of output, but you have to specifically set it to do so. Otherwise you escape on the value, such as <div>{{ some_value|e }}</div> <div>{{ some_value|escape('html') }}</div> unless that changed... Either way, Twig is fantastic and very much recommended. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 24, 2015 Share Posted December 24, 2015 You can enable global autoescaping in the Twig environment options. Quote Link to comment Share on other sites More sharing options...
maxxd Posted December 27, 2015 Share Posted December 27, 2015 You can enable global autoescaping in the Twig environment options. Completely missed that - thank you! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.