uniflare Posted February 17, 2008 Share Posted February 17, 2008 Hello, i have not coded php for a long time and picked up again last week, I'm currently writing an Easy to use and Extremely Powerful Website Content Management System (CMS). I'm very early in the stages and am currently writing basic class functions for the template interaction. -- The Idea -- (The way i use templates is with str_replace("<!--//Example_Title//-->",$Title,$Template), although i use arrays for multiple replacements) Concerning templates, I'm wondering if it would be a security/performance issue if instead of static "<!--//TITLE//-->" Type Replacements, to use Dynamic "<!--//Variable::$WebsiteClass->Title//-->" or even use functions inside templates "<!--//Function::$WebsiteClass->Config("title")//-->". Obviously i would need to be careful of any user submitted information like comments where users could exploit this to destroy my website, by limiting this syntax recognition to raw template include functions only, so users could use the same syntax but the script would ignore it. ---- Only problem with this precaution is that i loop the same replacement function (str_replace()) several times so you can have templates inside of templates inside of templates... Any Ideas/thoughts or suggestions greeted with thanks ___________________________ if this is confusing you please tell me ill try to explain better (maybe with code examples?) Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/ Share on other sites More sharing options...
able Posted February 17, 2008 Share Posted February 17, 2008 My question would be, why? The way I see it, you either go php native or you go implimentation neutral and use xsl/t. str_replace("<!--//Example_Title//-->",$Title,$Template) Why not simply <?php yourOutput('Example_Title'); ?> I just don't see the point in reinventing the wheel. Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/#findComment-468646 Share on other sites More sharing options...
Daniel0 Posted February 17, 2008 Share Posted February 17, 2008 The by far easiest way would be to use native PHP and run your template files through eval(). You can then catch the output using output buffering. Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/#findComment-468653 Share on other sites More sharing options...
able Posted February 17, 2008 Share Posted February 17, 2008 I just wondered why you recomended eval instead of include/require/once? Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/#findComment-468657 Share on other sites More sharing options...
uniflare Posted February 17, 2008 Author Share Posted February 17, 2008 Thank you very much for your replies, I don't fully understand php and have a lot to learn , i am familier with output buffering. So basically able is suggesting to store templates in php files and include() them. -- eval only seems to be useful if my templates files aren't .php files or are stored in a database, which they aren't (they're .tpl files atm), though i could just as easily change them to .php and include() them when all variables are set and ready. ------ it seems my imagination was running a bit wild . I will stick to native php templates and include them. I am not familier with the phrase "implimentation neutral" and "xsl/t", could you explain or point me to an explanation? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/#findComment-468689 Share on other sites More sharing options...
able Posted February 17, 2008 Share Posted February 17, 2008 "implimentation neutral" - I meant by this language neutral/platform neutral i.e. something that would work in PHP, or ASP or JSP etc "xsl/t", - A quick google for XSL will give you a whole lot of info. I'd sum it up as CSS for XML that can output other markup languages. So, if we wanted a universal template system, have your application output xml, the template is then essentially XSL - and it is transformed into x/html as required I don't claim to be much of an authority on XSL but there is loads of info about if you desire it Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/#findComment-469050 Share on other sites More sharing options...
uniflare Posted February 18, 2008 Author Share Posted February 18, 2008 thank you very much for your information, i believe a universal tempalte is not for me as i do not believe it will ever be truly universal (ie using it with different scripts), i will end up changing parts anyway. if i ever go into pure template building thats a very nice idea, thanks for sharing ---- PS, prorbably wrong place to ask but is there a way to SOLVE this topic? Quote Link to comment https://forums.phpfreaks.com/topic/91475-securityperformanceeasability-issue/#findComment-469344 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.