Security/Performance/Easability Issue

[uniflare]

Hello, i have not coded php for a long time and picked up again last week, I'm currently writing an Easy to use and Extremely Powerful Website Content Management System (CMS). I'm very early in the stages and am currently writing basic class functions for the template interaction.

 

--

The Idea

--

(The way i use templates is with str_replace("<!--//Example_Title//-->",$Title,$Template), although i use arrays for multiple replacements)

 

Concerning templates, I'm wondering if it would be a security/performance issue if instead of static "<!--//TITLE//-->" Type Replacements, to use Dynamic "<!--//Variable::$WebsiteClass->Title//-->" or even use functions inside templates "<!--//Function::$WebsiteClass->Config("title")//-->".

 

Obviously i would need to be careful of any user submitted information like comments where users could exploit this to destroy my website, by limiting this syntax recognition to raw template include functions only, so users could use the same syntax but the script would ignore it.

----

Only problem with this precaution is that i loop the same replacement function (str_replace()) several times so you can have templates inside of templates inside of templates...

 

Any Ideas/thoughts or suggestions greeted with thanks

___________________________

 

if this is confusing you please tell me ill try to explain better (maybe with code examples?)

[able]

My question would be, why?

 

The way I see it, you either go php native or you go implimentation neutral and use xsl/t.

 

str_replace("<!--//Example_Title//-->",$Title,$Template)

 

Why not simply <?php yourOutput('Example_Title'); ?>

 

I just don't see the point in reinventing the wheel.

[Daniel0]

The by far easiest way would be to use native PHP and run your template files through eval(). You can then catch the output using output buffering.

[able]

I just wondered why you recomended eval instead of include/require/once?

[uniflare]

Thank you very much for your replies,

 

I don't fully understand php and have a lot to learn  , i am familier with output buffering.

 

So basically able is suggesting to store templates in php files and include() them.

--

eval only seems to be useful if my templates files aren't .php files or are stored in a database, which they aren't (they're .tpl files atm), though i could just as easily change them to .php and include() them when all variables are set and ready.

------

it seems my imagination was running a bit wild . I will stick to native php templates and include them.

I am not familier with the phrase "implimentation neutral"  and "xsl/t", could you explain or point me to an explanation?

Thanks.

[able]

"implimentation neutral" 

 

- I meant by this language neutral/platform neutral i.e. something that would work in PHP, or ASP or JSP etc

 

 

"xsl/t", - A quick google for XSL will give you a whole lot of info. I'd sum it up as CSS for XML that can output other markup languages. So, if we wanted a universal template system, have your application output xml, the template is then essentially XSL - and it is transformed into x/html as required

 

I don't claim to be much of an authority on XSL but there is loads of info about if you desire it

[uniflare]

thank you very much for your information, i believe a universal tempalte is not for me as i do not believe it will ever be truly universal (ie using it with different scripts), i will end up changing parts anyway.

 

if i ever go into pure template building thats a very nice idea, thanks for sharing

----

PS, prorbably wrong place to ask but is there a way to SOLVE this topic?