I have set things up so my code reads the text of each page and automatically generates a table of contents and list of footnotes from it. I put footnote text into the page text in the place that it refers to. When the code reads the page file, it constructs a table of contents from the headers and puts that at the beginning of the page. It also removes the text of the footnotes and puts them in a list that it puts at the end of the page. It also manages numbering of the footnotes and placement of linked, superscripted footnote numbers for them.
To do this, instead of echo()ing page content, I compile the content into a variable, $PageText. I then have functions that read that variable, remove the footnote text, compile the table of contents and list of footnotes, and insert those into $PageText. I then echo($PageText);.
It seems that what I'm doing here is a homemade form of buffering, and that I could accomplish the same thing by something like
ob_start();
echo(<page contents>);
$PageText = ob_get_contents();
make_ToC($PageText);
make_footnotes($PageText);
ob_end_flush();
Would that be more efficient that using my own buffer variable? Or is there any other reason that it would better to use the built-in buffering system?
The reason I prefer to use my own buffer is that I have complete control of it. I don't really know what PHP might decide to do with content between the time that I echo() it and the time that I flush it.
A similar question was asked five years ago, Output buffering vs. storing content into variable in PHP. It's interesting that the answers seem to say that I would have better control of the contents by using the "ob_" system, whereas I feel like I have better control by using my own variable. Is there something I don't understand about that?
Output buffering is a technique to put already generated output on hold and has a number of usages:
Make better use of network transmissions (e.g. avoid sending almost empty HTTP packages)
Apply transparent transformations (e.g. minify generated HTML or rewrite URLs)
Being able to cancel the output altogether (e.g. in case of error)
Capture the output of functions that print to stdout (e.g. var_dump())
In my experience, functions that print to stdout tend to be an annoyance, esp. if the only apparent reason to do so is not having to prepend echo, because they get in the way of your application design. You don't always want to send their output as-is and you don't always want to print the output in the exact spot of the response flow where the function call happens.
What you describe is basically the standard text manipulation you can expect in any program. While you can certainly emulate it with output buffering, and as opinionated as it can get, I think it feels like a hack. In your case, you aren't even doing linear output. There's no obvious benefit of printing to stdout at once, given that you still need to manipulate the output because it isn't ready yet.
Related
Working mainly in WordPress contexts, I have mostly done without output buffering in my PHP code, but I have recently begun to experiment with it and try to discern simply as a user whether there was any noticeable performance impact in typical (for me) scenarios. Can't say I've achieved anything definitive there, but I don't know that my experiments really apply to scaled-up situations.
My general impression is that, unless I have a very good reason for using it - probably involving the kind of script in which I'm not generally interested at this time - I should avoid it. Yet I'll read suggestions that I could use buffering in one or another normal context (e.g., a shortcode that renders a large block of HTML), and I often see it being used in code by people whose work I admire and try to emulate. I've seen the familiar ob_start() etc. sequences applied for rendering even very minimal output that is not further adjusted: a menu or other short list, for example.
I have also seen people assert that there is simply no need for output buffering in well-written code, except in peculiar situations. See StackOverflow Q&A's here Why use output buffering in PHP?, to give one example. Others will say it's useful ONLY when some manipulation of the output is necessary - like a preg_replace of content - but you don't need an output buffer to do that kind of thing (any ol' variable will do).
In most real world instances of the sort I encounter, some version of page caching will also be in use, and sometimes several different plug-ins each with its own caching. Considering how many functions will themselves employ numerous nested/secondary HTML-producing functions, you could easily produce thousands of little nested buffered blocks per page: Suppose a foreach loop produces n number of blog-comments within a larger page: Each blog-comment is rendered by a function, and could be buffered separately. The each-comment function could be called within the foreach loop of the function that outputs the comment thread, and its output could also be buffered. Then the function that outputs the post that includes the comment thread could be output-buffered before being rendered. The entire page, including sundry independently output-buffered templates, plug-ins, widgets, menus, etc., etc., could also be output-buffered.
At what point would any of it be useful or, alternatively, completely counterproductive?
If the answer involves any element of "well, you wouldn't notice in your blog, but you'd need it for BuzzFeed or the New York Times," or the reverse, how would I estimate when the point has been reached?
At this point, I'm leaning toward writing the code as cleanly as possible, and letting (what I understand to be) built-in PHP, browser, server, etc., buffering and explicit caching functions do the work of making the page or its elements load efficiently and quickly, which is the real objective, no?
When using template engines, the code is typically output just once — after the whole page code has been generated. So output buffering is generally unneeded for such case.
The only situation when output buffering is really inevitable is capturing output of functions like var_dump() or phpinfo() without sending it to browser. Also, this can be useful for some third-party libraries that use echo without providing ability to get the result directly as a string.
I'll post this as an answer to my own question, though not under the assumption that there are no better ones, as I have run across a circumstance that might even qualify as a common for a certain type of plug-in, including a type that I am, in fact, quite interested in. The answer applies mainly to WordPress and to making plug-ins extensible.
In brief, in order to provide a filter - using the common WordPress "apply_filters" function - you will frequently need to be able to capture the entirety of your HTML output at once. When creating a large, complex block with mixed HTML and secondary functions, using an ob_start()/ob_get_[] sequence will be markedly more efficient way of achieving this end.
So: A plugin on which I'm currently working outputs a table whose elements are put together using a number of secondary functions. Now, I could conceivable do the entire thing adding content to a single variable, but it's much easier and more economical to initiate output buffering at the beginning, and then write the code without the extra layer of abstraction of $html .= [more and more HTML and PHP] In the end, the code assigns the entire output to a variable - $html = ob_get_clean(); and then returns the variable with the apply_filters function: return apply_filters( 'filter-tag' , $html ); Additionally, ob_start() and ob_get_clean() mark points in the code where it makes sense to provide do_action hooks.
Say you have a big PHP web application doing echoing, output buffering, etc, all over the place. The end result is a finished HTML/XML document to the browser.
Now say you find yourself in a small function in a random place in a big PHP web application. Is there a simple way to output something, for example an HTML comment, in a way so that it is sent as the last thing to the browser?
Something like a hook for "when everything is finished send this piece of info as well to the browser"?
The end goal is basically to output some warnings or debug info in an easy way, without messing up the output.
There's register_shutdown_function(), which would essentially be the very last thing executed by PHP before terminating your script.
I am creating some kind of custom CMS (home automation).
Well I am not a PHP developer - just hobbyist.
What I am trying to achieve is:
In my index.php page I have something like:
"<?php echo $pageBody; ?> "
PageBody I am fetching from Database, well it works well for HTML, JS. But it doesn't work with PHP code source.
I done some research I believe this is related to PHP security restrictions.
My question: Does anybody would be able to provide safe sample (cannot find any samples like this) - how I should do this.
I am trying to insert some php code and render it eventually via browser:
<div id="outer">
<div id="inner">
***PHP Code should go here***
</div>
</div>
At the minute - it is being rendered as text. However I can render properly HTML and JS.
My preferable way would be - as much as possible secure.
Many Thanks Guys!
When you retrieve PHP code from a database text field, the PHP interpreter does not "know" that it should parse the data as a PHP script. To the PHP interpreter, the data in that field is no different from any other data -- it is all strings without any special significance.
You could use eval (docs) to accomplish this if you're dealing with pure PHP scripts. Be forewarned: eval is considered "evil" because using it comes with risks, especially if your users will have any input as to the content of the database.
In your case, it sounds like you want to parse mixed PHP and HTML that is stored in a database field. In order to do this, you'd need to write the database data into a file, then include it so the PHP interpreter can do its thing. You should implement some kind of caching mechanism in this process, otherwise it might become heavy on your server with many users. You may also want to use output buffering (docs) to capture the output instead of immediately sending it out.
Briefly, you'd want to do something like this:
$content_from_db = "<h1>Hello <?php print 'Clarisse'; ?></h1>";
$identifier_from_db = '12'; // like the primary key from the table
$file_handle = fopen('cached_content/CACHE_'.$identifier_from_db.'.php', 'w');
fwrite($file_handle, $content_from_db);
fclose($file_handle);
// here is where you'd start output buffering, if you're going to do that (optional)
include('cached_content/CACHE_'.$identifier_from_db.'.php');
// and then here you retrieve the output buffer's content (optional)
Please note that this is not a "traditional" way of including dynamic content, and the above code is not production-ready. Without knowing your use case, I can't say for certain, but this idea of storing PHP code in the database is a rather unusual way to proceed.
Another alternative to rolling your own is the smarty template library. Check it out here: http://www.smarty.net. With smarty, you can write a resource plugin to pull the templates from the database. It would look something like the code above (more info)
Documentation
fwrite - http://php.net/manual/en/function.fwrite.php
include - http://php.net/manual/en/function.include.php
PHP basics on theopensourcery.com - http://theopensourcery.com/phpbasics.htm
Server-side scripting on Wikipedia - http://en.wikipedia.org/wiki/Server-side_scripting
eval - http://php.net/manual/en/function.eval.php
Output Control (buffering) - http://php.net/manual/en/book.outcontrol.php
Smarty - http://www.smarty.net
to execute PHP that you store in a string (or database) you can use the eval function, but be careful it could be somewhat dangerous.
You can't render (probably you mean execute) php code in the browser, because php scripts execute on the server and then the output is sent to the browser. By the time the browser recieve the response, script has already finished execution.
You can fetch the code from database and use eval() before sending the output. But you must be aware of drawbacks from this approach.
Browser cannot render (execute) PHP code. PHP is something that the server executes and sends to the browser as plain HTML to display.
For testing purposes you can download and install WAMP thats the most hassle free one stop solution for development.
link : http://www.wampserver.com/en/
I have lots of files that may or not have php tags (<?php... ?>) inside it.
first off, i need to check if the php tags exist in those files. no problem here. i use fopen, save the content to a variable, and strpos to do this.
next, if it has php tags, i save that to a temporary file and then use ob_start() include, and ob_get_clean() to save the output to a variable for further processing.
is there an alternative to doing this method? perhaps a more simpler one, like not having to save that to a temporary file but instead process it from the variable?
another alternative i have in mind is use fopen and strpos to check if the tags is present in the file and then use ob_start(), include (the original file), and ob_get_clean() to save the output to a variable for further processing.
any comments?
i would appreciate any response and/or comments.
btw, in case you might ask, i am working on a backend that accepts input from users that may or may not include php tags.
You question doesn't really mention what you're actually doing, so I'm assuming you're doing the incredibly dangerous "parse out code in <?php ?> blocks so that it can be run". Short answer: don't do this.
Okay I guess that's not an answer, more of a statement. But here's why: even if your users are all trusted users and they're all in your personal circle of friends and they're all experts, you only need one slipup to screw up the entire system. An accidental unlink()? too bad, now you're all screwed. And no, "we don't have to worry about that, everyone's cool" is not a good retort. Someone, at some point, is going to screw up, and the longer that takes, the more you stand to lose =)
With that said, it depends what you want to do. If you want to run it all in place, then just save the input to a temp file, include() that file, and then unlink() it again. The entire thing will execute in scope, and it will have been treated as if it was a normal PHP file on your system.
warning THIS IS INCREDIBLY DANGEROUS, NEVER DO THIS ON A NON-SANDBOXED, PUBLIC SERVER, EVEN IF IT'S ON AN INTRANET. THIS APPROACH IS LITERALLY A FULL ANONYMOUS REMOTE ACCESS SOLUTION warning
If you want to strip out the code and non-code to deal with them separately, as if they have nothing to do with each other, a simple non-greedy preg_match_all to find the code blocks, then doing an str_replace to kill them off in the original submitted content will give you an array of code blocks, and an input string with those blocks removed. Job done (although I'm not sure why you wouldn't use separate submission processes for the content and code in that case, since they'll be independent of each other).
This is the simplest way of doing it I can think of:
<?php
function fileHasPHPTags($fileName) {
return strpos(file_get_contents($fileName),"<?php")!==false;
}
?>
I have searched and found another with quite close question but the result was YUI Compressor and I didn't find that useful.
I use php to obfuscate my JavaScript code but it is not enough. I need a php script that I can run and then rename all functions and variables to random names (only letters) and ofcause before I obfuscate.
I have seen a few but they are either standalone programs like Java or something you need to pay for, and I can't use that.
Does anyone know a class or code snippet that might be able to do that?
And if the YUI Compressor actually can do that, can anyone point out some help to how I implement it into php?
After writing this long-winded response I began to wonder why you need to obfuscate javascript code in the first place? Javascript code is by nature public and anyone looking at your page can see the result. If you have secret/proprietary things you need to do, look into something like AJAX or otherwise making a callback to your server to do the processing and have it spit out the results for javascript. Any processing you do in javascript will be visible by anyone. Obfuscating just makes debugging harder, and isn't guaranteed to keep someone from cracking the code.
In general use javascript to control presentation, parse results from a server call into the document, and validate user input. Anything secret you want done, do on the server side where they can't see the exact code that is going on.
And with that off my chest here is my response if you still want to go the renaming route:
I haven't taken the time to Google what a YUI compressor is yet, but what you're describing sounds like you would need to parse any javascript and from there go about renaming functions and variables. I see a few issues
If/when your javascript uses built-in variable names like document or window and like-wise built-in functions like .getElementById(). Those you can't touch or the script can't do what it was meant to do.
Javascripts are executed in the context of the browser and might use functions/variables from other javascript files ex an HTML like
<script type="text/javascript" src="a.js"></script>
<script type="text/javascript" src="b.js"></script>
Since b.js was included after a.js, b.js can refer to and use any functions or variables in a.js thus if you scramble the names you will have to make sure any references made in b.js are updated to your new names appropriately.
Depending on how often you are wanting to do this renaming you have a trade off of having the code being cracked easier vs completely trashing the browser cache
Modify the names just once and keep the results - then browsers will cache the responses correctly and your site should work pretty well, however since the names are consistant between calls it will be easier for someone to crack the renaming. Though for this solution you don't necessarily need PHP, just any language or script and run it once
Modify the names per session - probably the best solution and middle of the road though it would require you to keep extra memory associated with each session as to the name changes so any requests for new java script files from the same session get renamed as they should (most modern browsers and server settings will allow for caching of the same named javascript file so as described in point 2 if any functions/variables in a.js are used by another javascript file they will have to be updated accordingly
Modify javascript files per request - this may require you to disable caching of your javascript files as every request for a page will require downloading a new javascript file(s) even if the user reloads the same page. This will lower page loading performance considerably (you have to rename all the functions again and generate a new javascript file, that is then downloaded by the browser and parsed by it) and also increase bandwidth consumption, however no two scripts for a page will be alike.
Overall this doesn't seem like a 1 man (or even 2 or 3 man) project that you want to undertake (unless you have a lot of time on your hands, but then things will have changed), there could be something like this out there already or something close which you could fork off of and modify to your needs. Essentially I think what you are wanting to do would be more work than its worth.
I'm not sure why you want to do this, but it seems like a pretty easy task to do manually.
All you need is to write a function that generates random strings, and in you PHP define variables for all JavaScript functions that you have and have those get assigned random strings. Then just substitute them when you print out your code for the actual JavaScript methods. The only caveat is you need to double check that your random strings aren't ever duplicates. If you can't use numbers (as per your question) then use letters and increment them appending to the back of your random string. So in pseudo code...
$var1 = generateRandomString(); //custom method to create random string and append unique letter at end to guarantee no duplicates.
$function1 = generateRandomString();
and in javascript...
//variable assignment
<?php echo "$var1='foo'"; ?>;
//function definition
function <?php echo "$function1" ; ?>( myArg ){
alert(myArg); //this will alert 'foo'
}
//calling the function
<?php echo "$function1($var1)" ; ?>
etc.