CHAPTER 5 – Separating Logic from Layout

In each of the two approaches, you always need to strive to separate your logic from the layout of your pages. There are a few ways to do this--for example, with a templating engine (see Chapter 14, "Performance")--but you can also use your own templating method, perhaps something similar to this example: template.tpl: <html> <head><title><?php echo $tpl['title']; ?></title></head> <body> <h1><?php echo $tpl['title']; ?></h1> <p> <?php echo $tpl['description']; ?> </p> <?php echo $tpl['content']; ?> </body> </html> This file is the "static" part of the site, and it's the same for most pages. It's simply HTML with some PHP statements to echo simple variables that are filled in by logic in the script that uses this template. list_parts.tpl.php: <?php $header = <<<END <table> <tr><th>Name</th><th>City</th></tr> END; $footer = <<<END </table> END; $item = "<tr><td>{name}</td><td>{city}</th>"; ?> This file contains elements for use in a dynamic list. You see that in the $item variable, we also have two placeholders ({name} and {city}) which are used by the logic to fill in data. show_names.php: <?php include 'list_parts.tpl.php'; First, we include the template file containing the definitions for the dif- ferent elements of the list to display: $list = array('Andi' => 'Tel Aviv', 'Derick' => 'Skien', 'Stig' => 'Trondheim); $items = ''; foreach ($list as $name => $city) { $items .= str_replace( array('{name}' , '{city}'), array($name, $city), $item ); } After initializing our variables, we loop through the array and concate- nate the filled-in $item variable to the $items variable, which will contain the layout for all items in the list: $tpl = array(); $tpl['title'] = "List with names"; $tpl['description'] = "This list shows names and the cities."; $tpl['content'] = $header . $items . $footer; include 'template.tpl'; ?> At last, we create the $tpl array, fill in the items that the template wants, and include the template file. Because the variables are now set, the included template is displayed with the data filled in. This is, of course, only one method of attacking this problem; I'll leave the rest to your imagination.

SUMMARY PHP is easily embedded into HTML files, displaying HTML forms that collect data entered by users and files that users upload. Collecting information from users presents security issues for the web site and for any user information stored at the web site. For security, PHP should have register_globals set to Off. To attack your web site or steal your data, the bad guys use techniques like cross-site scripting (executing pieces of client side scripting on your site) and SQL injection (inserting malicious code into queries run on your data- base). To protect against attacks, you must distrust all data that originates from users. You need to carefully validate all data that you receive from users and test it carefully to be sure it is safe, not dangerous to your web site. You can protect your web site when users upload files by checking the file size and type of the uploaded file. In addition, you can protect the information that is visible in your browser address window--information passed in the URL--by hashing it using one of several methods, including a PEAR class, called Crypt_HMAC, which was developed for hashing purposes. Hashing is also useful to protect passwords stored for the purpose of authenticating users. Another useful measure to protect your web site from user mistakes or bad-guy attacks is to develop your own error handler to recognize when something is not as it should be and to handle the problem. For a web application to be useful, the application data must be available to all the web pages in the application during a user session. One way to pass data from one web page to the next is by using cookies. When the user accesses the web page, a login page is displayed and the account and password entered by the user into the form are checked against the account and password that are stored for the user. If the user is authenticated, a cookie is set. The infor- mation in the cookie is automatically passed with any requested page. A sec- ond method of making data persistent across web pages is to use the PHP session features. Once you start a PHP session, you can store variables that are available to other scripts in the session. Once you know all the pieces you need for your web application, you need to organize them into a useful whole. One common method of organization is called "one script serves all," which means that index.php handles all the requests for different pages. Another common organization is "one script per function." A general principle is to separate layout from logic. After you orga- nize the pieces into a comprehensive application, you're off to the races.