Quick Question (ECHO VS EOF)

[coolshrimp]

From Codes below what would be the best code to use? and why?All do the same thing and work.1. Insert variables

<?php//Open the file.$fileHandle = @fopen("myfile.csv", "r") or die(print_r(error_get_last(),true));$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) {	$count++;	// Skip First 2 Rows	if ($count > 2) {		if ($row[3] === 'TYPE') {?><td valign="center"><a href="<?php echo $row[4]?>" target="_blank"><img src="../../images/Logos/<?php echo $row[1]?>" style="max-width:<?php echo $row[2]?>px;" alt="<?php echo $row[0]?>"></a></td><?php                }			}}?>

2. Echo Each line

<?php//Open the file.$fileHandle = @fopen("myfile.csv", "r") or die(print_r(error_get_last(),true));$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) {	$count++;	// Skip First 2 Rows	if ($count > 2) {		if ($row[3] = 'TYPE') {			echo '<td valign="center"><a href="';			echo $row[4];			echo '" target="_blank"><img src="../../images/Logos/';			echo $row[1];			echo '" style="max-width:';			echo $row[2];			echo 'px;" alt="';			echo $row[0];				echo '"></a></td>';					}			}}?>

3. USING EOF

<?php//Open the file.$fileHandle = @fopen("myfile.csv", "r") or die(print_r(error_get_last(),true));$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) {	$count++;	// Skip First 2 Rows	if ($count > 2) {		if ($row[3] === 'TYPE') {echo <<<EOF<td valign="center"><a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a></td>EOF;		}			}}?>

Edited July 28, 2015 by coolshrimp

[justsomeguy]

The third way isn't "EOF", it's a heredoc. You can use any identifier other than "EOF" to enclose that. That's usually the preferred method because it's readable and you can still substitute variables.

[coolshrimp]

OK thank you.yes i know you can change the identifier "EOF" i didn't know the proper term "heredoc".

 

third way is what im currently using like you said its easier to make changes and understand whats going on its not all broken up in to Echo's. and no need to escape characters.one more questionSay i have a comment form writing to the CSV file.Fields: Name, Email, Comment

 

I want to load that CSV to a webpage.i know csv has no formatiing so currently i put <br><br> between paragraphs in the comment field and it prints out the break and web browser knows its HTML break and formats.but anyone could then submit malicious code and it would load on the site right?so is there a way i can filter out all HTML tags but allow formatting tags like <br>, <b>, <strong> ect?

 

 

[justsomeguy]

PHP has a strip_tags function, but a better solution is to use something like HTMLPurifier.

[coolshrimp]

but strip_tags will remove all correct?id like to keep <br>, and <b> if possible.is there a way to strip_tags ignoring an allowed list?

[justsomeguy]

You didn't look at the documentation, did you?

[coolshrimp]

yea i did after i sent the comment thanks. looking into it.

[coolshrimp]

can i simply do this?is this safe?

strip_tags($comment,'tag you want to allow');

like

strip_tags($comment,'<br><b>');

[coolshrimp]

NVM i see this

Warning

This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

[coolshrimp]

i think i just wont have any user inputs load without being checked

Edited July 28, 2015 by coolshrimp