I am working with levels of security with my app and i have written a function that simply checks - depending on it's session user id what kind of priviligies he/she has. It works fine but in some pages i want to output some information if the user is superuser, and forbid to output information if user is a guest.
I do it with such a syntax:
1. <? if admin('superuser', $_SESSION['user_id']) { ?>
2. <div></div>
3. <? } ?>
It works good but it's not elegant, and in case long code between curling brackets it messess with purity of my code.
Is there a way to "alias" a line 1 and 3 to some kind of shortcut, ie
1. <? admin_superuser ?>
2. <div></div>
3. <? admin_super_user_end ?>
Maybe you have some other ideas to perform such levels of security?
The idea came from ob_start() and ob_end() commands.
I am waiting for your ideas.
Kalreg.
you could simply set a bool at the beginning of the page:
$isSuperUser = admin('superuser', $_SESSION['user_id']);
Then, just do
<? if ($isSuperUser) { ?>
<div></div>
<? } ?>
If you don't like the $, you could define a constant:
define("SUPERUSER", admin('superuser', $_SESSION['user_id']));
Then, just do
<? if (SUPERUSER) { ?>
<div></div>
<? } ?>
Good thing about a constant is that it is global, and if using in a function, you wouldn't have to declare it global first, or pass it as an argument.
I would go with something like this. I think this totally acceptable.
To simplify it you just need a wrapper for your user.
<?php if ($user->isAdmin()): ?>
<div></div>
<?php endif; ?>
you can include another php file that contains the corresponding html / php code with the "include" function. i also recommend to use <?php instead of just <? due short open tag issues with xml and ini settings.
Related
Rookie here, so please correct me if I have anything wrong.
So here's a snippet of my HTML:
<html><body>
<h2>Home Page</h2>
Welcome back <?= $fgmembersite->UserFullName(); ?>!
</body></html>
The function, $fgmembersite->UserFullName(), returns a string (100%, if I call the function within tags it prints out correctly). How do I get it to echo out in the HTML?
I think an alternative would be to echo the entire HTML code, and I think it'd work then, but I don't want to do it that way because I read somewhere that echoing all of your HTML is bad. Could somebody also confirm/deny that?
Right now, this is what shows on the site:
Welcome back UserFullName(); ?>!
No idea why
Thanks for your time!
I think you want the code to look like this...
Welcome back <?php echo $fgmembersite->UserFullName(); ?>!
This will ECHO the result of the function call.
What you are seeing is the result of the browser trying to parse the PHP. It is trying to treat <?= $fgmembersite-> as an unknown tag and then renders the rest as text.
There are two possible reasons for this:
You need to pass it through a PHP engine first.
You need to access the file through a web server which supports PHP and is configured to run your file through PHP when it is requested (typically this is done by using a .php file extension).
Note that installing a web server then double clicking a PHP file in your file manager isn't sufficient - the browser will just load the file from the file system. You need to type http://etc etc.
It is also possible that you have short_open_tag disabled (which is common and sensible) and are using PHP 5.3 or older (which isn't a great idea, 5.3 is still supported but it is the oldest branch that is).
If this is the case, your options are:
Upgrade PHP
Use <?php echo ... ?> instead of <?= ... ?>
Enable short_open_tag
Can't you just do
<?php echo $fgmembersite->UserFullName(); ?>
?
use it as follows:
<html><body>
<h2>Home Page</h2>
Welcome back <?php echo $fgmembersite->UserFullName(); ?>!
</body></html>
Do you have short_open_tag enabled on your server? You need to have that enabled to use that syntax. If you don't have that, use <?php echo $fgmembersite->UserFullName(); ?> like the other users suggested.
You can check the setting on you server by creating a file containing <?php phpinfo(); in it, and accessing that.
Also, echoing all your HTML inside the <?php tags are considered a bad practice because you should separate your business logic and your HTML. Echoing HTML directly from inside the PHP tags quickly leads to a mix of HTML and PHP, and it will be harder to read (for others, and yourself later on)
i am a bit confused when i use conditional statements like
<?php
if(isset($_POST['somevalue'])){
?>
<h1> this is out side php mode now </h1>
<?php
}else {
?>
<h1> again its out php mode </h1>
<?php
}
?>
but yet it still works i mean if $_POST['somevalue'] is set then it outputs "this is out side php mode now" if not it outputs "again its out php mode" my question is if i am outside php mode how does it work then?
I think your question is "how PHP works".as we know php is a server side language.it executes in the server but the scope of the html code will be inside the if loop.so
<?php
if(isset($_POST['somevalue'])){
?>
will be evaluated in server and not in the html part and that will be either true or false.
so after the execution in server your code in front end i.e. in the html part will be like this
<?php
if(1){
?>
<h1> this is out side php mode now </h1>
//as above code is markup language so it will be interpreted by the browser
<?php
}else {
?>
<h1> again its out php mode </h1>
<?php
}
?>
NOTE: the delimiters is for the server to know that the code inside the tag is php code and it will execute it accordingly.
Although you have closed off the executable section of the PHP code, the surrounding if statement and the curly braces will actually have a higher priority as to what is executed and what isn't.
<?php
if
{
// This is considered inside the statement
// and will only be sent if the execution
// makes it inside the statement.
?>
...
<?php
}
else
{
}
?>
// Anything here is simply sent to the browser
// as it will always executed.
<?php
// more code etc
?>
Anything inside the IF statement is considered part of the IF - even if it contains close/open PHP tags.
Basically the PHP control structure overrides open/close tags. This means any sort of if, switch, function etc etc has a higher priority than open close tags.
That's one thing I love about php.
Initially, the main reason is as #Fluffeh mentioned that you are still within the "if" statement.
One way I could put it is that, PHP allows to be embeded in side HTML code. As long as the file has a .php extention then (someone correct me if I'm wrong) Apache knows to use the PHP processor to process that file. It will process the php coding and display the HTML sections in it as well.
Your question is some what similar to
<?php
$name = "Tom";
?>
<h1>Hello <?php echo $name;?>!</h1>
The result will come out as Hello Tom!
it is the same idea as it is inside the php.. satisfy each of the condition and it will run its corresponding statement..
this is one of the best features of php, which allow us to use native html codes rather than putting it inside echo.
A PHP file is processed as plain text/html until it reaches a <?php tag when it executes the php code. When it reaches the closing ?> it processes it as plain text again.
This is exactly the same, but with echo and quote marks around the html you want to print. If you're having trouble reading the code I suggest indenting as needed.
<?php
if(isset($_POST['somevalue'])){
echo "<h1> this is out side php mode now </h1>";
}else {
echo "<h1> again its out php mode </h1>";
}
?>
The way you posted it.
<?php
if(isset($_POST['somevalue'])){
?><h1> this is out side php mode now </h1><?php
}else{
?><h1> again its out php mode </h1><?php
}
?>
Is it possible (in PHP) to call a function that triggers some capturing process so all HTML output after that function is captured up until an ending function? For example, some profiling applications do very similar procedures to this, and with functions such as ob_start(), it seems logical to me.
Example of concept:
<?php beginSection("hello"); ?>
<b>Hi there!</b>
<?php endSecton("hello"); ?>
<!-- Section "hello" now contains "<b>Hi there!</b>" -->
The way output buffering works does not allow you do this in a named fashion - ob_start and its friends stack on eachother, and unwind in order. You could implement it like this:
<?php ob_start(); ?>
<b>Hi there!</b>
<?php $sections['hello'] = ob_end_clean(); ?>
This would answer your question.
I often use HTML template for my application and within the template content there are place holder which I marked as <?php echo $myVar; ?>
Is there a shorter syntax for that? I tried <?php=$myVar?> but didn't work :D
Please give a hint if you know some way. Thank you!
<body>
<?php $myVar = 122; ?>
abb
<div>
<?php echo $myVar; ?>
</div>
<div>
<?php=$myVar?>
</div>
ccc
</body>
<?=$myvar ?>
short_open_tag should be On.
You can use short tags if enabled.
<?= $var; ?>
This is the same as doing this:
<?php echo $var; ?>
To set this up you can find info here, however it's not recommended you use this method.
http://php.net/manual/en/ini.core.php
If ASP tags are enabled you can also do things like this:
<%=$var; %>
<% echo $var; $>
The shorter version is <?=$myVar;?>, but please DON'T do this! :(
Quoting from the comment, in case anyone misses it.
because:
This will not allow much flexibility in moving the servers, i.e. you must control the server or be allowed to change the ini
directives [to turn on short_open_tag], otherwise you are doomed.
It might be deprecated in the future.
Readability is not a trade for functionality. Period.
it is
<?=$myVar; ?>
short tag should be enabled with PHP
If you are going to use inline xml with PHP do not enable short tags.
As documented here
If you want to use PHP in combination with XML, you can disable this
option in order to use inline. Otherwise, you can print it
with PHP, for example: '; ?>. Also,
if disabled, you must use the long form of the PHP open tag ().
You could use double quote echo like this:
<?php
$myVar = 122;
echo "
<body>
abb
<div>
whatever and $myVar displayed here
</div>
<div>
The content is: $myOtherVar
</div>
sometext
</body>
";
?>
But consider using your template with OOP. It would be even cleaner:
Template::header();//Echoes your template header
Template::content($myContentText,$myWhateverVar);//Echoes your template filled with your vars
HTH,
caffein
I've been working on a small page in PHP, one that doesn't need the power of a full-fledged framework behind it. One thing that I'm really missing from previous work in Ruby-on-Rails is the ability to effectively pass content up the page using "content_for".
What I was wondering is, how could you create a page lifecycle that would accomplish this same effect in PHP?
So, here's a simple example:
Let's say you have a template that defines an index page, just a recurring header and menu you want to use on all your pages. So your index.php file looks basically like this:
...header stuff...
<body>
<?php include $file.'.php'; ?>
</body>
...footer stuff...
EDIT: Thanks for the tips on URL security, but let's just assume I'm getting the user request safely :)
Now, lets say in the header you want to put this:
<head>
<title><?php echo $page_title; ?></title>
</head>
It would be nice to be able to specify the title in the included file, so at the url http://example.com/index.php?p=test you're loading test.php, and that file looks like this:
<?php $page_title = 'Test Page'; ?>
... rest of content ...
Now, obviously this doesn't work, because the including page (index.php) is loaded before the variable is set.
In Rails this is where you could pass stuff 'up the page' using the content_for function.
My question is this: What would be the simplest, leanest way that you all can think of to effect this kind of 'content_for' functionality in PHP?
Ideally I'd like suggestions that don't involve strapping on some big framework, but some relatively light boilerplate code that could be used in a lot of different applications.
Never do include $_GET['p']. This opens a huge security hole in your site, as include accepts filenames and URLs, so anybody would be able to read any file on your site and also execute any code on your server. You may want to check and sanitize the value first.
If you need something simple, you may put header and footer in separate files, execute your test.php which would set the variables, capture its output using output buffering, then include the header, output the middle part and include the footer. Example:
<?php ob_start(); ?>
<body>
<?php include $filename.'.php'; ?>
</body>
<?php $content = ob_get_clean();
include 'header.php';
echo $content;
include 'footer.php';
?>
If I understand you correctly (I have not used RoR extensively), you could put your data in a variable or a function. If your content was in a variable, your "test.php" could simply hold all your variables and you could load it at the very beginning of your index file (likewise for a function depending on how complicated your needs are; if you're doing a lot of extra work, you may need to use a function as a variable won't work).
For example, your test.php would look something like this:
<?php
$page_title = "Test Page";
$page_content = "Some sort of content";
// Or
function page_content()
{
// Run some functions and print content at the end
}
?>
Then, in your index.php
<?php include $_GET['p'].'.php'; ?>
...header stuff...
<title><?php print $page_title; ?></title>
<body>
<?php print $page_content; ?>
<!-- OR if function -->
<?php page_content(); ?>
</body>
...footer stuff...
This way everything should load properly. You could also split things up, but that would complicate your structure (especially if there is no need for an elaborate framework, this would be unnecessary).
Good luck!
Dennis M.
Are you worried about XSS? Or are you going to filter/whitelist the "filenames" from the query string?
My answer would be to use mod_rewrite -- if you're using PHP, you're likely using Apache!
You could filter out files with a RewriteCond and your RewriteRule could be:
RewriteRule /index.php?p=(.*)$ $1 [L,QSA]
This may be a different approach than the PHP functionality you were looking for, but it comes to mind...