Replace project using DB-driven templates, or re-implement it with similar logic?

dalecosp

Theoretical question.

I'm working on replacing a software system that uses templates stored in the DB to output site pages.

There's a "basic template" (or two or three) that's generally HTML with some 'marker tags' in it. The marker tags are replaced by other types of code "modules" that are also in the DB ... maybe HTML, maybe PHP or JS or even Flash objects, I guess.

I don't know for sure how the old system does it because that part of the system is "encrypted", but I'm currently leaning very heavily towards the theory that they're parsing the code, str_replace()ing the marker tags with the DB data, and then running the whole mess through [man]eval/man.

Presumptively the whole system exists so a non-programmer can add create pages simply by typing content into a WYSIWYG or pasting copied code into a form and saving it with a unique name (that creates the marker tag referred to above).

I've been able to duplicate this sort of functionality with this as the output script:

require_once("config.php");
require_once($Myconfig['class_path'] . "/ParseTemplate.class.php");

//I have this template stored in a file for testing, but it could come from DB instead
$template = file_get_contents($Myconfig['server_path'] . "/my_templates/basic.1.html");
$parser   = new ParseTemplate($template);
$code     = $parser->replaceTags();

$code = ltrim($code, "<"."?php");
$code = rtrim($code, "?".">");

echo eval($code);

Of course, the code's really kind of irrelevant; the question is how should the system be designed?

Do I want to keep this system using this paradigm? Or something different, like saving the modules and templates as files ... ?

Any thoughts? :-)

NogDog

I'm in favor of replacing anything that uses eval() with something that does not, both for security and performance. 🙂

dalecosp

NogDog;11063153 wrote:
I'm in favor of replacing anything that uses eval() with something that does not, both for security and performance. 🙂

Yes, yes ... just trying to figure out what it should look like. I don't have anybody standing over my shoulder with a requirements list, but I know I'll get feedback ex-post-facto .... :bemused:

NogDog

As I twiddle my thumbs waiting for the magical "summer Fridays" close of business hour, I'm wondering if there's a way to grab content from a DB in a way that it could become a file "handle" that include/require could access (that doesn't require eval() 😉 )? Hmm....

PS:

If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

http://php.net/manual/en/function.include.php

Hmm....

dalecosp

NogDog;11063159 wrote:
As I twiddle my thumbs waiting for the magical "summer Fridays" close of business hour, I'm wondering if there's a way to grab content from a DB in a way that it could become a file "handle" that include/require could access (that doesn't require eval() 😉 )? Hmm....

PS:

http://php.net/manual/en/function.include.php

Hmm....

Well, I dunno if that's the answer precisely, but it's helping to get some new wheels turning. Maybe next week something will "pop up" here (my noggin) and make itself known. 🙂

maxxd

If you're replacing the system wholesale, could you not look to an established templating system like Twig? From what you describe, it could be a very simple transition from the existing system to the new - grab user data from the database, then pipe that through the render() function of your Twig object. In addition to being heavily tested, Twig escapes output by default and - as far as I know - doesn't rely on eval(). It could prove difficult if your current system allows users to paste and then present random php code - which honestly sounds a bit dangerous anyhow - but you could always turn off auto-escape if that's the case.

dalecosp

maxxd;11063253 wrote:
If you're replacing the system wholesale, could you not look to an established templating system like Twig?

Possibly ... and thanks for the suggestion. At present, I'm not targeting a server that will use PHP7 though ... that's a requirement for Twig?

The old system had a Smarty-like lingo for templates (some of the internal workings ... actually I think it IS Smarty), but also allowed DB-stored HTML as mentioned above (switchable from the control panel).

From what you describe, it could be a very simple transition from the existing system to the new - grab user data from the database, then pipe that through the render() function of your Twig object. In addition to being heavily tested, Twig escapes output by default and - as far as I know - doesn't rely on eval(). It could prove difficult if your current system allows users to paste and then present random php code - which honestly sounds a bit dangerous anyhow - but you could always turn off auto-escape if that's the case.

The current system allows admins to create PHP modules, not 'users'. Of course, there's certainly a sense in which some of the admins are the 'users' ... not everyone here can really write code (despite what one of them thinks, heheh ... of course I'm trying to teach them 🙂 ). There's really nothing to prevent me just converting everything into plain files and managing them in my IDE (probably adding a sandbox and GIT ... two things this project has been needing for YEARS) except the potential displeasure of the other admins (one of whom I don't care too much about their opinion, and the other of whom is my supervisor 😉 😉 ).

I might actually just go ahead and do that, since for the most part when anything needs changed they just come to me anyway. But there's a sense in which that seems a step backwards ... and that's what might bug my supervisor, at least until I can get him some WYSIWIG-like functionality added back to the system.

NogDog

Seems cleaner to just use files in many ways. Worst case: maybe have a service that builds the files from the DB, and does periodic checks for DB changes -- or a DB trigger function that updates the relevant file if a template is inserted or updated?

maxxd

dalecosp;11063257 wrote:
Possibly ... and thanks for the suggestion. At present, I'm not targeting a server that will use PHP7 though ... that's a requirement for Twig?

For 2.x, yes. But 1.x can use 5.3.3 and up, and 1.x also auto-escapes output by default as far as I can remember.

dalescop;11063257 wrote:
The current system allows admins to create PHP modules, not 'users'.

Well that sounds at least somewhat less terrifying...

dalescop;11063257 wrote:
Of course, there's certainly a sense in which some of the admins are the 'users' ... not everyone here can really write code (despite what one of them thinks, heheh ... of course I'm trying to teach them 🙂 ).

HA! I know some of those same people!

dalescop;11063257 wrote:
There's really nothing to prevent me just converting everything into plain files and managing them in my IDE (probably adding a sandbox and GIT ... two things this project has been needing for YEARS) except the potential displeasure of the other admins (one of whom I don't care too much about their opinion, and the other of whom is my supervisor 😉 😉 ).

I might actually just go ahead and do that, since for the most part when anything needs changed they just come to me anyway. But there's a sense in which that seems a step backwards ... and that's what might bug my supervisor, at least until I can get him some WYSIWIG-like functionality added back to the system.

Depending on what kind of changes you deal with day-to-day, using Twig may actually make things much easier, although I'm not sure that it'll help with any WYSIWYG functionality. The hierarchy and inheritance model that's used is very flexible. I work with WordPress at my current job and it was a slog and a half for a long time to write the php templates that WP encourages until I found a plugin that lets me use Twig as a rendering engine. The number of files I've had to create (for an admittedly very template-happy design staff) has dropped drastically, and I've built my own modular Twig-based starter theme which has cut down significantly in overall development time.

Again, not saying it's the perfect solution for you, but personally I've found it incredibly helpful and useful.