002PHP_ Escaping From HTML - Manual

download 002PHP_ Escaping From HTML - Manual

of 9

Transcript of 002PHP_ Escaping From HTML - Manual

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    1/9

    [edit] Last updated: Fri, 20 Apr 2012

    Escaping from HTML

    Everything outside of a pair of opening and closing tags is ignored by the PHP parser which allows PHP files to have mixed content. This allows PHP to be

    embedded in HTML documents, for example to create templates.

    This is going to be ignored by PHP and displayed by the browser.

    This will also be ignored by PHP and displayed by the browser.

    This works as expected, because when the PHP interpreter hits the ?> closing tags, it simply starts outputting whatever it finds (except for an immediatel

    following newline - see instruction separation) until it hits another opening tag unless in the middle of a conditional statement in which case the

    interpreter will determine the outcome of the conditional before making a decision of what which to skip over. See the next example.

    Using structures with conditions

    Example #1 Advanced escaping using conditions

    This will show if the expression is true.

    Otherwise this will show.

    In this example PHP will skip the blocks where the condition is not met, even though they are outside of the PHP open/close tags, PHP skips them

    according to the condition since the PHP interpreter will jump over blocks contained within a condition what is not met.

    For outputting large blocks of text, dropping out of PHP parsing mode is generally more efficient than sending all of the text through echo or print.

    There are four different pairs of opening and closing tags which can be used in PHP. Two of those, and , are

    always available. The other two are short tags and ASP style tags, and can be turned on and off from the php.iniconfiguration file. As such, while some

    people find short tags and ASP style tags convenient, they are less portable, and generally not recommended.

    Note:

    Also note that if you are embedding PHP within XML or XHTML you will need to use the tags to remain compliant with standards.

    Example #2 PHP Opening and Closing Tags

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php

    1 of 9 26/04/2012 11:01

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    2/9

    1 of 9 26/04/2012 11:01

    1.

    2.

    echo 'some editors (like FrontPage) don\'t

    like processing instructions';

    3. This is a shortcut for ""

    4.

    While the tags seen in examples one and two are both always available, example one is the most commonly used, and recommended, of the two.

    Short tags (example three) are only available when they are enabled via the short_open_tag php.iniconfiguration file directive, or if PHP was configured

    with the --enable-short-tags option.

    ASP style tags (example four) are only available when they are enabled via the asp_tags php.iniconfiguration fil e directive.

    Note:

    Using short tags should be avoided when developing applications or libraries that are meant for redistribution, or deployment on PHP servers which are

    not under your control, because short tags may not be supported on the target server. For portable, redistributable code, be sure not to use short

    tags.

    Note:

    In PHP 5.2 and earlier, the parser does not allow the

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    3/9

    User Contributed Notes Escaping from HTML

    mike at clove dot com 30-Nov-2010 10:30

    It's possible to write code to create php escapes which can be processed later by substituting \x3f for '?' - as in echo "";

    This is useful for creating a template parser which later is rendered by PHP.

    quickfur at quickfur dot ath dot cx 26-Jul-2010 02:40

    When the documentation says that the PHP parser ignores everything outside the tags, it means literally EVERYTHING. Including

    things you normally wouldn't consider "valid", such as the following:

    >This is a paragraph.

    Notice how the PHP code is embedded in the middle of an HTML opening tag. The PHP parser doesn't care that it's in the middle of an opening

    tag, and doesn't require that it be closed. It also doesn't care that after the closing ?> tag is the end of the HTML opening tag. So, if$highlight is true, then the output will be:

    This is a paragraph.

    Otherwise, it will be:

    This is a paragraph.

    Using this method, you can have HTML tags with optional attributes, depending on some PHP condition. Extremely flexible and useful!

    snor_007 at hotmail dot com 01-Apr-2010 04:28

    Playing around with different open and close tags I discovered you can actually mix different style open/close tags

    some examples

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php

    3 of 9 26/04/2012 11:01

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    4/9

    or

    //php code here

    %>

    ravenswd at gmail dot com 01-Aug-2009 05:08

    One aspect of PHP that you need to be careful of, is that ?> will drop you out of PHP code and into HTML even if it appears inside a //

    comment. (This does not apply to /* */ comments.) This can lead to unexpected results. For example, take this line:

    If you try to remove it by turning it into a comment, you get this:

    Which results in ' . "\n"; (and whatever is in the lines following it) to be output to your HTML page.

    The cure is to either comment it out using /* */ tags, or re-write the line as:

    eksith at live dot com 01-Jul-2009 11:56

    Even if it's pretty simple to insert echo lines to your PHP, I would storngly advise against it.

    The safest way to output HTML content which may have special chraracters is to remove the HTML from your core code.

    Put them in heredocs instead.

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php

    4 of 9 26/04/2012 11:01i f l h // h / l/ /l b i h d h

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    5/9

    See the heredoc documentation and comments for more examples.

    If you can remove as much of the HTML as you can from the rest of the PHP code (in terms of printf and echo lines), please do.

    Try to keep your core logic and presentation separate.

    ... The rest of your HTML...

    And a PHP {$variable} here and an array {$arr['value']} there.

    HTML; // End of heredoc

    // Print this HTML

    echo $html

    ?>

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php

    5 of 9 26/04/2012 11:01PHP E i f HTML M l h // h / l/ /l b i h d h

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    6/9

    Richard Neill 03-Apr-2009 07:26

    WARNING: there is a potentially *nasty* gotcha here. Consider the following:

    First line

    Second line

    If the comment is immediately followed by newline (and most editors will trim spaces at the ends of lines anyway), then you will NOT get

    what you expect.

    Expect:

    First line

    Second Line

    Actually get:

    First line Second line

    Now, if you are relying on that newline, for example to terminate a line of Javascript, where the trailing semicolon is optional, watch

    out!

    david dot jarry at gmail dot com 26-Mar-2009 03:40

    Shorts tags and ASP tags are unportables and should be avoided.

    tags are a waste of time and simply inefficient in some simple cases :

    (...) VERY long text (...)

    To render this example in a basic XHTML editor, you need to "echo()" all the content or break the XML rules.

    The solution seems obvious to me : Why not add the shortcut "" to be used within XML and XHTML documents ?

    phpcoder at cyberpimp dot awmail dot org 09-Jan-2009 11:14

    Some graphical HTML editors (and most web browsers) don't explicitly recognize the tags. When opening a PHP file with a graphical

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php

    6 of 9 26/04/2012 11:01PHP E i f HTML M l htt // h t/ l/ /l b i t h d h

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    7/9

    HTML editor to design the page layout, chunks of PHP code can appear as literal text if the PHP code contains a greater-than symbol (>).

    Example:

    Unsafe-embedding

    When executed, it should display this:

    Unsafe-PHP-embedding

    However, when opened with an HTML editor, the on-screen result might look like this:

    Unsafe-3) { echo "PHP-"; } ?>embedding

    ...and further, the PHP code after the great-than operator (>) is at risk of being corrupted by the HTML editor's text formatting

    algorithms.

    PHP code with greater-than symbols can be safely embedded into HTML by surrounding it with a pair of HTML-style comment delimiters + fake

    HTML end & start stags, as PHP-style comments.

    Example:

    Safe-embedding

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php

    7 of 9 26/04/2012 11:01 PHP E i f HTML M l htt // h t/ l/ /l b i t h d h

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    8/9

    When executed, it should display this:

    Safe-PHP-embedding

    And when opened with an HTML editor (or even opened directly with a web browser), it should display this:

    Safe-embedding

    An HTML editor will see the surrounded PHP code as an HTML comment, and (hopefully) leave it as-is.

    Finally, any PHP code with a hard-coded string containing the HTML end-of-comment delimiter (-->) should be reconstructed to be

    syntactically identical, while avoiding the literal "-->" sequence in the PHP code.

    For example, this:

    ...can safely be changed to any of these:

  • 7/28/2019 002PHP_ Escaping From HTML - Manual

    9/9

    /*-->

    admin at furutsuzeru dot net 02-Jan-2009 08:50

    These methods are just messy. Short-opening tags and ASP-styled tags are not always enabled on servers. The

    alternative is just out there. You should just use the traditional tag opening:

    Coding islands, for example:

    is happy.

    is happier.

    Lead to something along the lines of messy code. Writing your application like this can just prove to be more of an

    inconvenience when it comes to maintenance.

    If you have to deal chunks of HTML, then consider having a templating system do the job for you. It is a poor idea to rely on the coding

    islands method as a template system in any way, and for reasons listed above.

    Copyright 2001-2012 The PHP GroupAll rights reserved.

    PHP: Escaping from HTML - Manual http://www.php.net/manual/en/language.basic-syntax.phpmode.php