CODEWITHSUNDEEP
php
ThomasH
ThomasH

Reputation: 13

Using php-code in html... in php

Imagine you have a mysql db storing articles.

The html is stored like so: 

<h1>I'm just foo</h1>
<p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.</p>
<p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.</p>

...

And displayed using a mysql_query and running through the results.

But here's the rub: Every now and then you might want to use a predefined function, for instance to insert a map in the html. How does the user input that, in the html? I can't very well just input:

<?php insertMap() ?>

as that would render as php-tags with php-tags inside.

I've seen different CMSes handling it differently. For instance using {{{insertMap}}} to call a function. But then, how do I run through the code, looking for {{{}}} and running it as a function?

Google and I have a feeling eval() is part of the solution (although a security risk?), but any suggestions, pointers etc. are most welcome!

Upvotes: 1

Views: 542

Answers (2)

Jon
Jon

Reputation: 437326

Basically you do a find and replace within your stored content to match those placeholders (the format of which is something you can freely decide) and replace them with the result of evaluating an expression that you derive from them. It is not necessary (or a good idea) to use eval for this, you can very easily roll your own eval-like code that only supports a safe subset of what eval does.

Let's say you pick {{{xxx}}} as your placeholder template. To match it, the easiest way is to use regular expressions through preg_match or another function in the same family; since we want to replace as well and we want the replacement to be produced dynamically, we 'll go with preg_replace_callback.

The pattern to replace will be '/{{{([a-zA-Z_]+)}}}/', which matches a sequence of one or more letters and underscores between the curly braces. The parentheses in there are regular-expression-specific syntax and I used them so that I can later easily refer to just the part within (the name of the "template" let's say) without being bothered by the braces.

The callback is going to be a function that produces the replacement content given a pattern:

function produce_replacement($match) {
    // $match[1] means "the part of the template inside the braces";
    // read up on the documentation of preg_replace_callback for more.
    $producerName = 'evaluate_'.strtolower($match[1]);
    return function_exists($producerName) ? $producerName() : null;
}

This function is designed to take a template name (e.g. xxx in {{{xxx}}}) and see if a function called evaluate_xxx exists. If it does, it calls the function and returns the result; if not, it returns null. In any case, the result will be the replacement of the template in your original text.

Important: This is a design decision that provides security to the implementation! We have made it so that the user can use any "template" they want inside the text, but those templates will only result in code being executed if that code resides within a function named evaluate_xxx or similar. Given that the presence or absence of these functions is something that you control, the user is restricted in what their markup can actually do.

So you can now have:

$text = "Hello there {{{name}}}!";
$pattern = '/{{{([a-zA-Z_]+)}}}/';

$text = preg_replace_callback($pattern, 'produce_replacement', $text);
echo $text;

function evaluate_name() {
    return "Joe";
}

See it in action.

Upvotes: 2

safarov
safarov

Reputation: 7804

There are lots of templating engines doing this, you can do it without using eval(). With advanced parsing class. Predefine your list of functions and etc and use it. Or Just use Templating engines.

Upvotes: 1

Related Questions