Jump to content

Security/Performance/Easability Issue


uniflare

Recommended Posts

Hello, i have not coded php for a long time and picked up again last week, I'm currently writing an Easy to use and Extremely Powerful Website Content Management System (CMS). I'm very early in the stages and am currently writing basic class functions for the template interaction.

 

--

The Idea

--

(The way i use templates is with str_replace("<!--//Example_Title//-->",$Title,$Template), although i use arrays for multiple replacements)

 

Concerning templates, I'm wondering if it would be a security/performance issue if instead of static "<!--//TITLE//-->" Type Replacements, to use Dynamic "<!--//Variable::$WebsiteClass->Title//-->" or even use functions inside templates "<!--//Function::$WebsiteClass->Config("title")//-->".

 

Obviously i would need to be careful of any user submitted information like comments where users could exploit this to destroy my website, by limiting this syntax recognition to raw template include functions only, so users could use the same syntax but the script would ignore it.

----

Only problem with this precaution is that i loop the same replacement function (str_replace()) several times so you can have templates inside of templates inside of templates...

 

Any Ideas/thoughts or suggestions greeted with thanks

___________________________

 

if this is confusing you please tell me ill try to explain better :P (maybe with code examples?)

Link to comment
Share on other sites

My question would be, why?

 

The way I see it, you either go php native or you go implimentation neutral and use xsl/t.

 

str_replace("<!--//Example_Title//-->",$Title,$Template)

 

Why not simply <?php yourOutput('Example_Title'); ?>

 

I just don't see the point in reinventing the wheel.

Link to comment
Share on other sites

Thank you very much for your replies,

 

I don't fully understand php and have a lot to learn  :), i am familier with output buffering.

 

So basically able is suggesting to store templates in php files and include() them.

--

eval only seems to be useful if my templates files aren't .php files or are stored in a database, which they aren't (they're .tpl files atm), though i could just as easily change them to .php and include() them when all variables are set and ready.

------

it seems my imagination was running a bit wild :-[. I will stick to native php templates and include them.

I am not familier with the phrase "implimentation neutral"  and "xsl/t", could you explain or point me to an explanation?

Thanks.

Link to comment
Share on other sites

"implimentation neutral" 

 

- I meant by this language neutral/platform neutral i.e. something that would work in PHP, or ASP or JSP etc

 

 

"xsl/t", - A quick google for XSL will give you a whole lot of info. I'd sum it up as CSS for XML that can output other markup languages. So, if we wanted a universal template system, have your application output xml, the template is then essentially XSL - and it is transformed into x/html as required

 

I don't claim to be much of an authority on XSL but there is loads of info about if you desire it

Link to comment
Share on other sites

thank you very much for your information, i believe a universal tempalte is not for me as i do not believe it will ever be truly universal (ie using it with different scripts), i will end up changing parts anyway.

 

if i ever go into pure template building thats a very nice idea, thanks for sharing :)

----

PS, prorbably wrong place to ask but is there a way to SOLVE this topic?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.