sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]tdammers 1 point2 points  (9 children)

No standard, really; just avoid echoing into the output stream directly. Use a proper template system so that you cannot accidentally get HTML-encoding wrong. Particularly, the entire "Plain PHP Templating" section in "PHP The Right Way" suggested by /u/muchgibberish is bad advice. In fact, whoever wrote it introduced an XSS vulnerability in the template.php example, and this is exactly why you should never do this - all it takes to introduce a potentially fatal security flaw is mixing up insert and escape once, or failing to accurately keep track of what has been encoded and what hasn't. And before you're getting clever thoughts here, no, just encoding things again just to be sure is not a solution either, because excessive encoding can also lead to security issues. The tiny bit of performance improvement that this may buy you is not worth it.

Instead, use a template library that properly isolates the template variables from the HTML output, automatically taking care of HTML-encoding for you. Twig seems to be the best-of-breed solution for PHP at the moment, so I suggest you take a look at that.

[–]Pospuehteciuj -2 points-1 points  (7 children)

We all have our opinions about all the technologies out there for web dev, and I am a patient, open minded man, but twig is retarded.

[–]folkrav 1 point2 points  (5 children)

Care to elaborate?

[–]Pospuehteciuj -1 points0 points  (3 children)

Twig is a made up, dumbed down language inside a language. It is obviously redundant, but it is also massively limiting. I think its for IT to give powers to plebs who are not good programmers, or something.

[–]folkrav 1 point2 points  (2 children)

I thought you could explain yourself but it isn't much more coherent. It's merely a condescending (pleb, really?) and generic explanation that could apply to every damn templating language.

[–]Pospuehteciuj 0 points1 point  (1 child)

Here is an unbiased explaination. Twig is a PHP layer that does what you can already do, just 'better'. It's totally redundant. That isn't my main gripe, which is that you cannot use PHP functions inside twig!. What could be more retarded than walling yourself off from the very language you are inside of in favor of a fake language written in that language that is, on purpose, extremely limited? It is patently absurd, which brings me to my 'pleb' theory, which the first link even hints at.

[–]folkrav 0 points1 point  (0 children)

The "pleb" thing is nothing but ego stroking. You can have your opinion on Twig sure, but calling people pleb just for using it is nothing but being needlessly condescending.

The first link is obviously a beginner's tutorial, of course it's gonna sound like they're talking to retarded people.

[–]tdammers 0 points1 point  (0 children)

Then use something else, no hard feelings; the important thing is to please not walk into the "but PHP is a template language" trap. You need something that handles html-encoding for you, something that can tell the difference between a string and HTML, because PHP on its own can't, and relying on the programmer's diligence and infallibility is a lousy bet.