Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Performace of form with lot alternate php and html

22 views
Skip to first unread message

dino.l...@gmail.com

unread,
Nov 2, 2016, 11:20:01 AM11/2/16
to
Hi all,
in my form i have lot of fields that are valued by php like

---------------------------

Codice INT_AMM_:
<input id="codiceamm" name="codiceamm" type="text" size="8" maxlength="11"
onblur="this.value=formatNumber(this,0,true);"
onkeydown="javascript:return chknumericfield(event);"
<?php
if ($lavoro == 'modifica') {
echo(' class="normalinput" onFocus="select();" ');
} else {
echo(' class="disabledinput" readonly="" ');
}
echo('value="' . stripslashes($rec[0]['codiceamm']) . '"');
?>
/>&nbsp;
Codice INT_PROV_:
etc. etc.

---------------------------

is this the right way to obtain best performaces to show page?

or the interpreter switches much times to go in and out from php to html ?

thanks

Jerry Stuckle

unread,
Nov 2, 2016, 2:46:04 PM11/2/16
to
Worrying about performance at this point is just premature optimization.
That is just a waste of time. Write your code to make it easy to
understand.

Worry about performance only when it becomes a problem - then find where
the problem is. I can guarantee it will not be switching back and forth
between HTML and PHP. There is very little overhead doing it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstu...@attglobal.net
==================

Arno Welzel

unread,
Nov 3, 2016, 3:16:21 AM11/3/16
to
The interpreter does not "switch" at all. In fact the whole script is
executed by PHP and all the places with

?> ... <?php

will just be treated like

echo( ... );

So go ahead and build your script as you like to. It's more important to
have code which you understand and which works.

BTW: You can also use OpCache to speed up things - this is a regular
part of PHP since PHP 5.5 and even faster than XCache. Switching from
mod_php to php-fpm may also help.


--
Arno Welzel
https://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de

Thomas 'PointedEars' Lahn

unread,
Nov 3, 2016, 11:24:43 AM11/3/16
to
Arno Welzel wrote:

> dino.l...@gmail.com schrieb am 2016-11-02 um 16:19:
>> in my form i have lot of fields that are valued by php like
>>
>> ---------------------------
>>
>> Codice INT_AMM_:
>> <input id="codiceamm" name="codiceamm" type="text" size="8"
>> maxlength="11"
>> onblur="this.value=formatNumber(this,0,true);"
>> onkeydown="javascript:return chknumericfield(event);"

Remove “javascript:”.

>> <?php
>> if ($lavoro == 'modifica') {
>> echo(' class="normalinput" onFocus="select();" ');

Careful; like “event”, there may be a native property with the name “select”
in the scope chain. Always call your methods in your own namespace, and
avoid implicit references in favor of using “this” (which usually is in
the scope chain of event-handler attribute values).

>> } else {
>> echo(' class="disabledinput" readonly="" ');
>> }
>> echo('value="' . stripslashes($rec[0]['codiceamm']) . '"');
>> ?>
>> />&nbsp;
>> Codice INT_PROV_:
>> etc. etc.
>>
>> ---------------------------
>>
>> is this the right way to obtain best performaces to show page?
>>
>> or the interpreter switches much times to go in and out from php to html
>> ?
>
> The interpreter does not "switch" at all. In fact the whole script is
> executed by PHP and all the places with
>
> ?> ... <?php
>
> will just be treated like
>
> echo( ... );

That is obviously incorrect.

First of all, “echo” is not a function but a language feature.
It should not be written as if it were a function, so it should
be written without the parentheses.

Second, there is no expansion performed outside of “<?php … ?>” blocks.
Instead, the part of the file is read by PHP and sent verbatim to
the standard output, where consecutive lines are output together (as if
they all had been in one “echo” statement). This is more efficient than
expanding escape sequences while compiling source code to bytecode, and
then executing that bytecode. Insofar the _compiler_ *is* switching
between modes here. (PHP source code is _not_ interpreted verbatim.
The same applies to most other scripting languages.)

Third, “echo” must attempt to convert its argument to string before output.

This can be shown using the Vulcan Logic Disassembler (VLD) PECL extension:

| $ printf '123\n' > /tmp/php.test; php -d vld.active=1 -d vld.execute=1 /tmp/php.test
| PHP Warning: Module 'PDO' already loaded in Unknown on line 0
| PHP Warning: Module 'vld' already loaded in Unknown on line 0
| Finding entry points
| Branch analysis from position: 0
| Jump found. Position 1 = -2
| filename: /tmp/php.test
| function name: (null)
| number of ops: 3
| compiled vars: none
| line #* E I O op fetch ext return operands
| -------------------------------------------------------------------------------------
| 2 0 E > EXT_STMT
| 1 ECHO '123%0A'
| 2 > RETURN 1
|
| branch: # 0; line: 2- 2; sop: 0; eop: 2; out1: -2
| path #1: 0,
| 123
|
| $ printf '1<?php echo 2; ?>3\n' > /tmp/php.test; php -d vld.active=1 -d vld.execute=1 /tmp/php.test
| PHP Warning: Module 'PDO' already loaded in Unknown on line 0
| PHP Warning: Module 'vld' already loaded in Unknown on line 0
| Finding entry points
| Branch analysis from position: 0
| Jump found. Position 1 = -2
| filename: /tmp/php.test
| function name: (null)
| number of ops: 8
| compiled vars: none
| line #* E I O op fetch ext return operands
| -------------------------------------------------------------------------------------
| 1 0 E > EXT_STMT
| 1 ECHO '1'
| 2 EXT_STMT
| 3 ECHO 2
| 4 NOP
| 2 5 EXT_STMT
| 6 ECHO '3%0A'
| 7 > RETURN 1
|
| branch: # 0; line: 1- 2; sop: 0; eop: 7; out1: -2
| path #1: 0,
| 123
`----

There is another advantage in separating pure PHP code from markup:
PHP editor features like syntax highlighting, code completion and linting
can be applied to the pure PHP code, and markup editor features like
syntax highlighting, code completion, and markup validation can be applied
to the part that is purely markup.

The above can be rewritten as

<input
<?php
if ($lavoro == 'modifica') {
?>
class="normalinput" onFocus="select();"

<?php
} else {
?>
class="disabledinput" readonly="" '
<?php
}

echo('value="' . stripslashes($rec[0]['codiceamm']) . '"');
?>

PHP has an alternative syntax that is prevalent in templates because
it makes them easier to read:

<input
<?php if ($lavoro == 'modifica'): ?>
class="normalinput" onFocus="select();"
<?php else: ?>
class="disabledinput" readonly="" '
<?php endif;

echo 'value="' . stripslashes($rec[0]['codiceamm']) . '"';
?>

On the other hand, simple if-else statements as this can also be simplified
by using the conditional operator:

<?php
echo ($lavoro === 'modifica')
? ' class="normalinput" onFocus="select();" '
: ' class="disabledinput" readonly="" ';
?>

Further, “<?php echo …; ?>” can be safely replaced by “<?= … ?>” since PHP 5.4:

<?= ($lavoro === 'modifica')
? ' class="normalinput" onFocus="select();" '
: ' class="disabledinput" readonly="" '
?>

Most importantly, though, stripslashes() is _not_ sufficient to avoid
code injection. It should be either

<?php
echo 'value="'
. htmlspecialchars(stripslashes($rec[0]['codiceamm']))
. '"';

?>

or

value="<?= htmlspecialchars(stripslashes($rec[0]['codiceamm'])) ?>

Calling stripslashes() should not be necessary to begin with, though.
Simply set the “magic_quotes_gpc” setting, which is DEPRECATED as of
PHP 5.3.0 (where the default was still "on") and was REMOVED as if
PHP 5.4.0, to "off" (0). In fact, if you really need to rely on
stripslashes(), you better upgrade your PHP version and find ways
to remove stripslashes() from your code.

Finally, markup *templates* can be read and written by people who
do not know PHP, later to be augmented with source code by people
who do know PHP, which makes collaboration easier. This is where
template engines like Smarty come in where PHP code for control
statements like loops and for inserting values escaped into
the markup is largely replaced by code in a templating language.

> So go ahead and build your script as you like to. It's more important to
> have code which you understand and which works.

Non sequitur.

> BTW: You can also use OpCache to speed up things - this is a regular
> part of PHP since PHP 5.5 and even faster than XCache. Switching from
> mod_php to php-fpm may also help.

In situations like this, where the output is variable, an opcode
cache provides no advantage.

--
PointedEars
Zend Certified PHP Engineer
<http://www.zend.com/en/yellow-pages/ZEND024953> | Twitter: @PointedEars2
Please do not cc me. / Bitte keine Kopien per E-Mail.

dino.l...@gmail.com

unread,
Nov 3, 2016, 3:15:36 PM11/3/16
to

> value="<?= htmlspecialchars(stripslashes($rec[0]['codiceamm'])) ?>
>
> Calling stripslashes() should not be necessary to begin with, though.
> Simply set the “magic_quotes_gpc” setting, which is DEPRECATED as of
> PHP 5.3.0 (where the default was still "on") and was REMOVED as if
> PHP 5.4.0, to "off" (0). In fact, if you really need to rely on
> stripslashes(), you better upgrade your PHP version and find ways
> to remove stripslashes() from your code.
>
> Finally, markup *templates* can be read and written by people who
> do not know PHP, later to be augmented with source code by people
> who do know PHP, which makes collaboration easier. This is where
> template engines like Smarty come in where PHP code for control
> statements like loops and for inserting values escaped into
> the markup is largely replaced by code in a templating language.
...
> --
> PointedEars

I thanks all for your good aswers and apologise because I am a neanderthal php programmer :(
Two more questions:
I use stripslashes($rec[0]['codiceamm']) to suppress values with possible slashes stored in db field, you say it isnt necessary but I have not understand (all because of my bad english) how to do without. Can explain in poor words ?

Second question, is best for me remain a neanderthaler or grow, maybe by a simple framework, you sed "smarty", is one possible way ?

T.i.a.

Jerry Stuckle

unread,
Nov 3, 2016, 6:59:20 PM11/3/16
to
One caution - don't worry about anything "Pointed Head" says. He is a
well-known troll in multiple newsgroups. And as he just showed, he
knows little about PHP (except what he can copy from other peoples'
posts and blogs).

stripslashes() is antiquated and no longer in use. It was used in early
versions of PHP when magic_quotes was enabled in the php.ini file. The
latter has been deprecated for several versions now, and I think it has
finally been removed (but haven't checked).

The problem is not with slashes in your string, but extra quote (')
characters. Unescaped, they can allow unauthorized access to your
database, website and even destroy the database (google "SQL Injection"
for more information). The correct way to handle this is with dependent
on your database; for MySQL you should be using
mysql_real_escape_string() on all strings, for instance.

You can try a templating engine, but for learning PHP I don't recommend
it. You will have to not only learn PHP, but learn how that templating
engine does things. And even if you look at the code others have
written, you don't know for sure how good that code is. Plus a
templating engine will do a lot of things "behind the scenes" for you,
so you won't learn major parts of the language. Overall, not really a
good idea, IMHO.

Arno Welzel

unread,
Nov 7, 2016, 3:39:27 AM11/7/16
to
Thomas 'PointedEars' Lahn schrieb am 2016-11-03 um 16:24:

> Arno Welzel wrote:
>
[...]
>> ?> ... <?php
>>
>> will just be treated like
>>
>> echo( ... );
>
> That is obviously incorrect.
>
> First of all, “echo” is not a function but a language feature.
> It should not be written as if it were a function, so it should
> be written without the parentheses.
>
> Second, there is no expansion performed outside of “<?php … ?>” blocks.

Correct. That's why I said "treated like" and not "is exactly the same as".

[...]
>> BTW: You can also use OpCache to speed up things - this is a regular
>> part of PHP since PHP 5.5 and even faster than XCache. Switching from
>> mod_php to php-fpm may also help.
>
> In situations like this, where the output is variable, an opcode
> cache provides no advantage.

Wrong. The code is not changing - and this is all what counts, not the
output.

Arno Welzel

unread,
Nov 7, 2016, 3:42:00 AM11/7/16
to
Jerry Stuckle schrieb am 2016-11-03 um 23:59:

[...]
> The problem is not with slashes in your string, but extra quote (')
> characters. Unescaped, they can allow unauthorized access to your
> database, website and even destroy the database (google "SQL Injection"
> for more information). The correct way to handle this is with dependent
> on your database; for MySQL you should be using
> mysql_real_escape_string() on all strings, for instance.

Or use prepared statements where values never will be put directly into
the SQL statement.

Thomas 'PointedEars' Lahn

unread,
Nov 7, 2016, 1:08:28 PM11/7/16
to
Arno Welzel wrote:

> Thomas 'PointedEars' Lahn schrieb am 2016-11-03 um 16:24:
>> Arno Welzel wrote:
> [...]
>>> ?> ... <?php
>>>
>>> will just be treated like
>>>
>>> echo( ... );
>>
>> That is obviously incorrect.
>>
>> First of all, “echo” is not a function but a language feature.
>> It should not be written as if it were a function, so it should
>> be written without the parentheses.
>>
>> Second, there is no expansion performed outside of “<?php … ?>” blocks.
>
> Correct. That's why I said "treated like" and not "is exactly the same
> as".

The point here is that *several* consecutive lines outside of <?php … ?> are
treated like *one* “echo” statement with the difference that the source code
is not parsed for language tokens except “<?”. Beginners are often not
aware that using several consecutive “echo” statements is comparably
inefficient.

You have trimmed from your text the false conclusion, which I was referring
to, that accompanied the correct statement that you left in.

> [...]
>> In situations like this, where the output is variable, an opcode
>> cache provides no advantage.
>
> Wrong. The code is not changing - and this is all what counts, not the
> output.

You are missing the point again.

Arno Welzel

unread,
Nov 7, 2016, 5:53:50 PM11/7/16
to
Thomas 'PointedEars' Lahn wrote:

> Arno Welzel wrote:
>
>> Thomas 'PointedEars' Lahn schrieb am 2016-11-03 um 16:24:
[...]
>>> In situations like this, where the output is variable, an opcode
>>> cache provides no advantage.
>>
>> Wrong. The code is not changing - and this is all what counts, not the
>> output.
>
> You are missing the point again.

Which point?

OpCache caches byte code based on the source code which PHP executes.

See <http://php.net/manual/en/intro.opcache.php>:

"OPcache improves PHP performance by storing precompiled script bytecode
in shared memory, thereby removing the need for PHP to load and parse
scripts on each request."

Thomas 'PointedEars' Lahn

unread,
Dec 15, 2016, 9:29:29 AM12/15/16
to
dino.l...@gmail.com wrote:

[Restored attribution]

> [Thomas 'PointedEars' Lahn wrote: ]
>> value="<?= htmlspecialchars(stripslashes($rec[0]['codiceamm'])) ?>
>>
>> Calling stripslashes() should not be necessary to begin with, though.
>> Simply set the “magic_quotes_gpc” setting, which is DEPRECATED as of
>> PHP 5.3.0 (where the default was still "on") and was REMOVED as if
>> PHP 5.4.0, to "off" (0). In fact, if you really need to rely on
>> stripslashes(), you better upgrade your PHP version and find ways
>> to remove stripslashes() from your code.
>>
>> Finally, markup *templates* can be read and written by people who
>> do not know PHP, later to be augmented with source code by people
>> who do know PHP, which makes collaboration easier. This is where
>> template engines like Smarty come in where PHP code for control
>> statements like loops and for inserting values escaped into
>> the markup is largely replaced by code in a templating language.
>
> I thanks all for your good aswers

You are welcome.

But please keep the attribution from now on. It is important to know who
wrote the text which was quoted. But it should be only one line for each
quotation level. That is easier to read. You should make it shorter if it
is too long for one line (more than 72 characters). You can make it shorter
if you delete everything except the name of the author. See above.

You are using Google Groups. You should subscribe to the newsgroup. Then
you can post with your real name, which is polite. And your name will
appear in attributions, as is should be. But Google Groups has a lot of
errors. So Google Groups postings are harder to read. Also, many bad
people are (ab)using Google Groups: spammers and trolls. So it is often
filtered out. (That is also why my reply is late. I did not see your
posting until today.) You should use a newsreader application instead, for
example KNode or Mozilla Thunderbird.

<http://twovoyagers.com/improve-usenet.org/>

> and apologise because I am a neanderthal php programmer :(

<http://catb.org/esr/faqs/smart-questions.html#idm45835691819312>

> Two more questions:
> I use stripslashes($rec[0]['codiceamm']) to suppress values with possible
> slashes stored in db field, you say it isnt necessary but I have not
> understand (all because of my bad english) how to do without. Can explain
> in poor words ?

(You probably mean “in _few_ words”. OK, I tried to write in Simple English
here [1].)

stripslashes() removes and reduces *back*slashes (“\”). The function name
is misleading:

<http://php.net/stripslashes>

It should not be necessary to remove or reduce backslashes. Because there
should not be extra backslashes in the database. *You* have put them there.
Do not do that. Problem solved.

> Second question, is best for me remain a neanderthaler or grow,

<http://catb.org/esr/faqs/smart-questions.html#idm45835691819312>

> maybe by a simple framework, you sed "smarty", is one possible way ?

Smarty is a not a (PHP) framework. It is a (PHP) library. This library
provides a (PHP) template engine. A (PHP) template engine helps you to
write (PHP) templates in an easy way. It uses a more simple syntax.

HTH.

_______
[1] <http://en.wikipedia.org/wiki/Simple_English>
--
PointedEars
Zend Certified PHP Engineer <http://www.zend.com/en/yellow-pages/ZEND024953>
<https://github.com/PointedEars> | <http://PointedEars.de/wsvn>
0 new messages