Thread

EE allows for PHP to be embedded within templates. This seems to be rather frowned upon. I don’t fully understand the issues here. Could anybody offer an explanation.

If you’re working on a client site, and they’ll have access to the templates, they could really break stuff/create massive security holes if php is enabled. If it’s your own site, or template access will be tightly controlled, there are things that can be done with straight php that are damn near impossible otherwise - mainly because of parse order issues.

Thank you Dylan, that is just the problem I’ve run into, I could not squeeze what I wanted out existing tags.  What might be an example of a security hole? Just to make sure I avoid!

“Enabling PHP in a template will enable anyone with editing rights for that template to become a de-facto Super Admin since they can execute any PHP they want in that template, including PHP that can reveal information about your system, PHP that can delete data from your database, etc. Exercise extreme caution before enabling this option if you permit others to edit your templates.”

http://ellislab.com/expressionengine/user-guide/templates/php.html

Brilliant fully understand that now. I have careful control over templates so it should not present an issue. Thank you for explaining.

Another thing to consider is writing a quick plugin. Often I’ll start with writing PHP in a template, and then convert it to a plugin. Makes templates clean and gives you the possibility to do anything using EE syntax.

Great starting point in creating a plugin: http://pkg.io/

Thank you excellent pointer.  The mere word “plugin” has me feared.  I did not see it as a natural extension of some of the things I am already doing, will give it a go!