which way is better?

cold

i'm developing a simple tempalte engine.
what i've been doing is that i have a .php page with the array vars() containing pair of [ToBeReplaced][$value].
i have another .html file with tags like {ToBeReplaced}.
$contents has the templateFile.html

so,when processing the template,i have two choices.

foreach ($vars as $key->$value){
     str_replace('{'.$key.'}',$value,$contents);
}

OR the other way round

preg_match_all("/{[A-Z]+[ ][A-Z]+}/",$contents,$out,PREG_PATTERN_ORDER)
foreach ($out as $key=>$value){
	if(is_array($out[$key]) ){
		foreach ($out[$key] as $key2=>$value2){
			if(isset($vars[$out[$key][$key2]])){
				$out[$key][$key2]=$vars[$out[$key][$key2]];			
			}
		}
	}
}

so,in the first one i have to use the keys in the vars() as the search criteria.and replace them in the $contents if i find any.
and in the seconed one,i read the html file first.store the patterns found and search in the vars().if i find any match i replace it.

does the seconed one posses any security threats?

NogDog

If you include the brackets in your array keys, you can just do:

$replacements = array(
   '{place_holder_1}' => 'Value 1',
   '{place_holder_2}' => 'Value 2',
   '{place_holder_3}' => 'Value 3',
);
$contents = str_replace(array_keys($replacements), $replacements, $contents);