I’m new to this board, but I’ve been a fan of CSS-Tricks for a while now.
Does anybody have experience creating HTML templates with an engine like Smarty, or do you roll your own? I’m curious about what other folks do. Have you come across any security issues using a template engine like this guy describes?
Personally I have never and would never let anything do my coding for me, mainly because it normally comes out a complete mess and you have to, at some point, navigate your way around it…
I don’t think that’s what he means Rob. He’s talking about templating systems – templates with placeholders for variables in them, that sort of thing.
When PHP was first developed, it was a template language. That is programmers would take an HTML page and insert <?php ?> tags all over the place whenever they needed some calculated value or a field from a database. That’s all well and good but if you are working as part of a larger team then that can lead to problems. Also, it doesn’t fit very well in today’s MVC oriented mindset.
One of the problems I hit in the past is graphic designers are prone to breaking php when they edit the files in DreamPage (or whatever it is they use). Fortunately modern versions of these programs understand php, asp, ruby and such and hide their uglyness from these kinds of people, but it can still happen.
Then there’s the issue of security. Is the guy that’s editing the templates the kind of guy you want to have the power to type mysql_query("DELETE FROM customers;")? Or maybe he’ll just accidently break some code that needs to be there. This is where Django’s template system shines, since it’s not based on any underlying language like php or ruby it only let’s the template authors do what the CMS is programmed to let them do. This means it has lots of nifty functions specially designed to cater for template authors (like truncatewords:"100", for instance) but without a) the designers needing to learn php and b) the developers needing to worry about what the designers are doing to their code.
This is not such an issue for me at the moment as I’m just working up a few sites for people I know and as such WordPress is great for me. Although the templates are peppered with php, and yes if used incorrectly I’m sure there could be security issues, as I’m the only one working on the files it suits me fine.
I would highly advise against a template engine. I tried smarty once, and found the syntax to be ugly and confusing.
If you’re going to use a "Template Engine", I suggest using a PHP framework such as Codeigniter. It allows for even more sepeation, and keeps the normal php syntax in your HTML. The only difference is, that Database calls are dealt with by your model, and your controller loads the views, responds to data and calls on the model for database information.
Its a really nice, simple, clean way to write PHP. Writing plain PHP without a framework is something I just don’t do anymore.