Complete PHP Programming/Escaping from HTML

From Wikibooks, the open-content textbooks collection

[edit] Introduction

PHP is a scripting language which can be embedded between HTML (or other document type) blocks in a PHP script page (see Rules section below). Special opening and closing PHP tags are used to denote what should be parsed by the PHP parser, while any code outside these blocks are to be directly output to the browser.

[edit] History and use of start/end tags in PHP 2 through PHP 5

All at least have a less than sign in the beginning and a greater than sign at the end.

<? ... >

<? echo 'PHP/FI 2.0'; >

<? ... ?>

<? echo 'PHP 3-5'; ?>

<?= ... ?>

<?= 'PHP 3-5'; ?>

<? echo 'PHP 3-5'; ?>

<?php ... ?>

<?php echo 'PHP 3-5'; ?>

<script language="php">    
... 
</script>

<script language="php">     

echo 'PHP 3-5';

</script>

<% ... %>

<% echo 'PHP 3.04-5'; %>

<%= ... %>

<%= 'PHP 3.04-5'; %>

<% echo 'PHP 3.04-5'; %>

[edit] Rules and Notes on Usage of Escaping Tags

1. Can escape in and out of PHP an indefinite amount of times within a page
2. Can mix and match tags, even one opening type with a different closing type (assuming both types are enabled), though there would be no need for this and would be poor practice.
3. In order to take advantage of the faster processing of raw HTML (as opposed to going through the echo() or (print functions), one does not need to close conditionals, etc. (one exception is one-line comments--see below) before closing a PHP tag (assuming the conditional is closed within a subsequent PHP tag set):

<?php
if ($weekday >= 6) { 
   ?>
    <p>Happy weekend. Why are you still at work?</p>
   <?php 
} else { 
   ?>
    <p>Today is work. Ugh.</p>
   <?php 
}
?>

1. One line comments, // , or #, will be ended upon reaching a closing ?> or enabled %> PHP tag (even if no new-line has yet been specified), though not for a closing </script> tag. Thus, the subsequent HTML, etc. will not be commented out after the ?> or %>, even if it immediately follows the closing PHP tag without any newlines. See commenting.
2. The closing PHP tag at the end of a file is not necessary. See also Rules on whitespace section below.
3. The closing tag implies a semicolon (for line termination) in the event no semicolon had yet been specified (see instruction separation. If the closing semicolon had not been specified for the last instruction in the PHP code block, if a newline were present before the closing tag, it would be included as part of the statement (e.g., as part of an echo statement).

[edit] Rules pertaining to HTML or whitespace preceding or following PHP tags

1. Spaces are required after the <?php tag but not for the short tags or script tag (ASP tags?)
2. In order to avoid very long lines of code (where a developer may wish to have multiple PHP tag sets immediately follow one another but without newlines being added to the output), PHP considers ?>\n equivalent to ?> (i.e., PHP omits one newline after closing). To add an outputted newline between such PHP tag sets, one must therefore put at least one further newline.
3. With cookies and sessions using cookies: As cookie headers (or sessions relying on cookies) do not allow ANY HTML to be sent to the user before they are sent, no HTML (including even whitespace) should be present before the very first opening PHP tag (or also before the very first opening and after the very last closing tag (assuming no unclosed opening PHP tags at the end--see below) in the case of an included file--assuming there is a last closing tag; see below).
4. It may be helpful to omit the last PHP closing tag (see above) if one is including or requiring a file processing code before a cookie is sent (see above), or if one is using output buffering and doesn't wish for additional whitespace at the end of the file to be sent to the browser. See also instruction separation.

[edit] XML conflicts

[edit] XML declaration and Short tags

Note the following problem in dealing with the XML declaration cannot be avoided by merely placing the "application/xml+xhtml" content type in a meta tag. However, if this information is at least set by a call to header(), the XML processor may not require the XML declaration at all anyways. Nevertheless, it is a good idea to include it regardless.

1. If short tags are enabled (whether using <? , <?= or <?php ), PHP will try to parse a (XML (or text) declaration) opening (<?xml ) after the "?" as PHP code, thus in all probability resulting in an error. (Something like <?xml()?> would work (assuming there were a function named 'xml'), but that is not likely to be the intention.) See options below for workarounds.
2. If short tags are used (or any tag besides <?php or possibly <script>), the document will not be compliant with XML/XHTML standards.
3. Even if short tags are not used and the declaration is within a PHP block, if short tags are enabled, use of <?php could still cause an XML well-formedness checker to fail. See options below for workarounds if you wish your code to work on systems with or without short open tags enabled. Otherwise, just set php.ini to the following:

   short_open_tags = 0
   

Besides the XML header being addable via this method into undivided non-PHP sections of the code, the methods in sections A.1 and A.3 and all in B would also work.

[edit] Options to write PHP/XML code to work both with short tags on (or off), with or without the intention of the code being displayable as raw XML

[edit] A. Will work if one is not planning on using (unprocessed) PHP within XML documents (e.g., to take advantage of stylesheets, display one's code online, etc.)

Using <?php tags (header inside PHP):

<?php echo "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n"; ?>

Using <? short tags (header inside HTML):

<<? ?>?xml version="1.0" encoding="UTF-8"?<? ?>>

Using either tag (header inside PHP) and HEREDOC:

<?php print <<<HEADERESCAPED
<?xml version="1.0"?>
HEADERESCAPED;
?>

(Note: if you are concerned about code highlighting problems not working, they may be fixed by adding a comment with a quotation mark at the end (on a separate line after the HEREDOC):

//"

[edit] B. Will work on all servers regardless of short_open_tags settings and can be used in raw (PHP unprocessed) format as an XML document

Note: The following cannot be converted to <? even though short tags can be on if they are to be used as raw XML documents:

<?php echo '<?xml version="1.0" ?'.'>' ?>

<?php echo "<?xml version=\"1.0\"\x3F>" ?>

<?php
$xml=rawurldecode('%3C%3Fxml%20version%3D%221.0%22%3F%3E');
echo $xml;
?>

header.txt (note: this must be .txt if this is intended to be made compatible with servers with Short open tags on):

<?xml version="1.0"?> 

xmldocument.php (the XML document):

<?php
  include("header.txt"); 
  // Add XML text following this...
?>

[edit] Use of PHP Script tags Within Code to be Displayed as Raw XML

There are a few considerations for using a script tag for inclusion within a PHP-unprocessed XML document (e.g., for display purposes)

1. If it is to be included within XML for display purposes, the tags (and attribute (and value?)) should be all in lower case and thus follow XML's (and thus XHTML's) well-formedness rules.
2. The script tag must also be valid against the given XML DTD.
3. See the following section for its behavior with PCDATA

[edit] Script and PCDATA

Inside the <script> element, text in XHTML is by default PCDATA. Thus, any < and & characters are to be interpreted as markup by the validator which is probably not what was intended.

Instead of using the obscuring and cumbersome < or & to escape all PHP code within the <script> element, mark the PHP as CDATA:

<script language="php">
//<![CDATA[ 
print "Hello, <b>$user</b>";
//]]>
</script>

[edit] References

• php.net/manual/en/language.basic-syntax.php
• php.net/manual/tr/migration-startendtags.php
• php.net/manual/en/faq.using.php#faq.using.newlines
• php.net/manual/en/faq.using.php#faq.using.mixml
• php.net/manual/en/faq.using.php#faq.using.editor
• php.net/manual/en/ini.core.php#ini.short-open-tag
• Zend Technologies, Zend PHP Certification, pp. 7-8