cbassett03 Posted October 27, 2011 Share Posted October 27, 2011 Is there a performance or security issue when embedding HTML code to be written to a page using a series of ECHO statements within PHP? Here's two examples: <?php // Some PHP code echo "<p>Hello, World</p>\n"; // More php code ?> versus: <?php> // Some PHP script commands ?> <p>Hello World\n"; <?php // More PHP code ?> Is there a performance issue or potential security flaw that would make the first example any worse/better than the second? (Is one method more "secure" than the other method, I guess is what I'm asking?) I like the ease of just throwing in HTML within a PHP script without having toe escape quote marks, etc. But, I'm a bit concerned about security since whatever technique I use will be incorporated into a "commercial" production website. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted October 27, 2011 Share Posted October 27, 2011 supposedly from what I hear the second way is slower, because it has to open/close or start/stop the php parser. Also the second way looks really messy IMO. I also think HEREDOC is nice, not sure if it has anything to do with your question but... <?php $variable = 100; echo <<<HTMLPHP <p>"This has single and double quote's that are not escaped."</p> <p>$variable</p> HTMLPHP; ?> Quote Link to comment Share on other sites More sharing options...
markjoe Posted October 27, 2011 Share Posted October 27, 2011 Already doubting there to be any significant difference in speed, I decided to do a crude test anyway. I did 20,000 lines of each pattern echo "<div/>HTML</div>\n"; echo "<div>PHP ". ++$a . "</div>\n"; echo "<div/>HTML</div>\n"; echo "<div>PHP ". ++$a . "</div>\n"; echo "<div/>HTML</div>\n"; echo "<div>PHP ". ++$a . "</div>\n"; <div/>HTML</div> <?php echo "<div>PHP ". ++$a . "</div>\n"; ?> <div/>HTML</div> <?php echo "<div>PHP ". ++$a . "</div>\n"; ?> <div/>HTML</div> <?php echo "<div>PHP ". ++$a . "</div>\n"; ?> <div/>HTML</div> <?php echo "<div>PHP ". ++$a . "</div>\n"; ?> with and without APC There was no noticeable difference in execution time. (the standard deviation of each was greater than any of the differences between them) As for security, I am not aware of any concerns either way. My advice: between these two methods and the HEREDOC, choose which ever you want based on keeping the code clean and easy to maintain. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted October 27, 2011 Share Posted October 27, 2011 I did the same, they both finished in about 0.0074920654296875 seconds. That was for a basic page, what about a more complex page? Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 27, 2011 Share Posted October 27, 2011 The merits of how best to include "content" has been debated many times that I have seen. There's even several threads on the merits of using single quotes vs. double quotes. Personally, I hate seeing a lot of code that jumps in and our of PHP to output HTML. And, I really like the ability to easily include variables in the output without having to break into and out of PHP tags. So, I typically use php echo statemetns with double quotes. But, that is only int he code where I must generate very dynamic content. I usually have a page or more that develops the majority of the dynamic content as PHP variables. Then I'll use a template type page that is mostly HTML with some placeholders for the content variables. Makes it very easy to "see" the structure of the page without the mess of all the PHP logic. In the end it is primarily a personal preference issue. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.