Arno Welzel wrote:
>
dino.l...@gmail.com schrieb am 2016-11-02 um 16:19:
>> in my form i have lot of fields that are valued by php like
>>
>> ---------------------------
>>
>> Codice INT_AMM_:
>> <input id="codiceamm" name="codiceamm" type="text" size="8"
>> maxlength="11"
>> onblur="this.value=formatNumber(this,0,true);"
>> onkeydown="javascript:return chknumericfield(event);"
Remove “javascript:”.
>> <?php
>> if ($lavoro == 'modifica') {
>> echo(' class="normalinput" onFocus="select();" ');
Careful; like “event”, there may be a native property with the name “select”
in the scope chain. Always call your methods in your own namespace, and
avoid implicit references in favor of using “this” (which usually is in
the scope chain of event-handler attribute values).
>> } else {
>> echo(' class="disabledinput" readonly="" ');
>> }
>> echo('value="' . stripslashes($rec[0]['codiceamm']) . '"');
>> ?>
>> />
>> Codice INT_PROV_:
>> etc. etc.
>>
>> ---------------------------
>>
>> is this the right way to obtain best performaces to show page?
>>
>> or the interpreter switches much times to go in and out from php to html
>> ?
>
> The interpreter does not "switch" at all. In fact the whole script is
> executed by PHP and all the places with
>
> ?> ... <?php
>
> will just be treated like
>
> echo( ... );
That is obviously incorrect.
First of all, “echo” is not a function but a language feature.
It should not be written as if it were a function, so it should
be written without the parentheses.
Second, there is no expansion performed outside of “<?php … ?>” blocks.
Instead, the part of the file is read by PHP and sent verbatim to
the standard output, where consecutive lines are output together (as if
they all had been in one “echo” statement). This is more efficient than
expanding escape sequences while compiling source code to bytecode, and
then executing that bytecode. Insofar the _compiler_ *is* switching
between modes here. (PHP source code is _not_ interpreted verbatim.
The same applies to most other scripting languages.)
Third, “echo” must attempt to convert its argument to string before output.
This can be shown using the Vulcan Logic Disassembler (VLD) PECL extension:
| $ printf '123\n' > /tmp/php.test; php -d vld.active=1 -d vld.execute=1 /tmp/php.test
| PHP Warning: Module 'PDO' already loaded in Unknown on line 0
| PHP Warning: Module 'vld' already loaded in Unknown on line 0
| Finding entry points
| Branch analysis from position: 0
| Jump found. Position 1 = -2
| filename: /tmp/php.test
| function name: (null)
| number of ops: 3
| compiled vars: none
| line #* E I O op fetch ext return operands
| -------------------------------------------------------------------------------------
| 2 0 E > EXT_STMT
| 1 ECHO '123%0A'
| 2 > RETURN 1
|
| branch: # 0; line: 2- 2; sop: 0; eop: 2; out1: -2
| path #1: 0,
| 123
|
| $ printf '1<?php echo 2; ?>3\n' > /tmp/php.test; php -d vld.active=1 -d vld.execute=1 /tmp/php.test
| PHP Warning: Module 'PDO' already loaded in Unknown on line 0
| PHP Warning: Module 'vld' already loaded in Unknown on line 0
| Finding entry points
| Branch analysis from position: 0
| Jump found. Position 1 = -2
| filename: /tmp/php.test
| function name: (null)
| number of ops: 8
| compiled vars: none
| line #* E I O op fetch ext return operands
| -------------------------------------------------------------------------------------
| 1 0 E > EXT_STMT
| 1 ECHO '1'
| 2 EXT_STMT
| 3 ECHO 2
| 4 NOP
| 2 5 EXT_STMT
| 6 ECHO '3%0A'
| 7 > RETURN 1
|
| branch: # 0; line: 1- 2; sop: 0; eop: 7; out1: -2
| path #1: 0,
| 123
`----
There is another advantage in separating pure PHP code from markup:
PHP editor features like syntax highlighting, code completion and linting
can be applied to the pure PHP code, and markup editor features like
syntax highlighting, code completion, and markup validation can be applied
to the part that is purely markup.
The above can be rewritten as
<input
<?php
if ($lavoro == 'modifica') {
?>
class="normalinput" onFocus="select();"
<?php
} else {
?>
class="disabledinput" readonly="" '
<?php
}
echo('value="' . stripslashes($rec[0]['codiceamm']) . '"');
?>
PHP has an alternative syntax that is prevalent in templates because
it makes them easier to read:
<input
<?php if ($lavoro == 'modifica'): ?>
class="normalinput" onFocus="select();"
<?php else: ?>
class="disabledinput" readonly="" '
<?php endif;
echo 'value="' . stripslashes($rec[0]['codiceamm']) . '"';
?>
On the other hand, simple if-else statements as this can also be simplified
by using the conditional operator:
<?php
echo ($lavoro === 'modifica')
? ' class="normalinput" onFocus="select();" '
: ' class="disabledinput" readonly="" ';
?>
Further, “<?php echo …; ?>” can be safely replaced by “<?= … ?>” since PHP 5.4:
<?= ($lavoro === 'modifica')
? ' class="normalinput" onFocus="select();" '
: ' class="disabledinput" readonly="" '
?>
Most importantly, though, stripslashes() is _not_ sufficient to avoid
code injection. It should be either
<?php
echo 'value="'
. htmlspecialchars(stripslashes($rec[0]['codiceamm']))
. '"';
?>
or
value="<?= htmlspecialchars(stripslashes($rec[0]['codiceamm'])) ?>
Calling stripslashes() should not be necessary to begin with, though.
Simply set the “magic_quotes_gpc” setting, which is DEPRECATED as of
PHP 5.3.0 (where the default was still "on") and was REMOVED as if
PHP 5.4.0, to "off" (0). In fact, if you really need to rely on
stripslashes(), you better upgrade your PHP version and find ways
to remove stripslashes() from your code.
Finally, markup *templates* can be read and written by people who
do not know PHP, later to be augmented with source code by people
who do know PHP, which makes collaboration easier. This is where
template engines like Smarty come in where PHP code for control
statements like loops and for inserting values escaped into
the markup is largely replaced by code in a templating language.
> So go ahead and build your script as you like to. It's more important to
> have code which you understand and which works.
Non sequitur.
> BTW: You can also use OpCache to speed up things - this is a regular
> part of PHP since PHP 5.5 and even faster than XCache. Switching from
> mod_php to php-fpm may also help.
In situations like this, where the output is variable, an opcode
cache provides no advantage.
--
PointedEars
Zend Certified PHP Engineer
<
http://www.zend.com/en/yellow-pages/ZEND024953> | Twitter: @PointedEars2
Please do not cc me. / Bitte keine Kopien per E-Mail.