Templates and power

Do you use a template engine in your PHP projects or is PHP your template engine?

Opinions have traditionally been diverse and discussions heated. Some say 'PHP is a template engine, why would you need another one?'. Others have countered that PHP lacks features and clarity when used as a template engine.

But I think there is another more hidden difference of opinion or world outlook between people in these different camps. I think it as about power. Who has the power to program the system?

To quote Fabien Potencier of Symfony fame:

Of course web designers can learn a bit of PHP... until they learn too much and start getting stuff that do not belong to the template in their templates (like getting records directly from the database, anyone?) 

I understand this attitude, I've worked with designers that made a mess of things as well. But I've just as often worked with programmers who made a mess of things. The solution in my opinion is education and not control.

I believe that programming is not something best left to programmers. I firmly believe it is something anyone can and should do!

This is where PHP shines in my opinion. There simply isn't a system that allows you to start programming in a more simple and direct way than PHP. You do not need to learn complex programming lore to start your first useful PHP program. 

Ofcourse it isn't just about preventing designers from programming. There are factors involved which may change whether or not to use a template engine in your next PHP project.

Seperation of display and business logic is one of those. The proponents of simplified template languages often say that by using templates you seperate display code from business code. Anyone who has been programming for a while will understand that that is a good idea. However, you do not need seperate languages to seperate code. You mostly need to understand the concept and adhere to it, which language you use for which isn't really important, unless you use it to force the seperation on others. 

Again a choice between education and control.

Ease of use then. The argument is that PHP is too difficult to learn, too verbose to use. I think that this is mostly nonsense. True, PHP can be more verbose than some template languages, if you count characters. But the concepts in PHP are on a similar level of complexity. If you need a looping mechanism, PHP's while and foreach are not fundamentally more complex than other looping constructs. Mostly the complexity comes from the API you program to in your template code. If that is simple and easy to understand, your PHP templates will be simple and easy to understand as well. And as a bonus your designers may become full blown web developers over time.

Security is another reason to switch to a seperate template language. PHP doesn't have the best track record for security. Ironically some of that comes from features introduced for ease of use. However this is no longer true. 

The best feature from some template languages that is missing from PHP is automatic escaping or quoting of content. This helps prevent XSS attacks, but is certainly not a complete solution. The PHP version is rather more complex and easily forgotten. But you could fairly easily create an API that makes it a lot easier to use. Additionally I believe strongly that any modern application should have XSS attack detection built-in as a failsafe that will trigger whenever a vulnerability exists and is potentially being abused.

Another potential problem is SQL injection. But again, there should not be a need to do direct database access in your templates. If your internal API is well defined, all database access should be through an API that doesn't accept SQL statements. I don't think you should necessarily prevent direct database access from ever happening, though it is usually an indicator that your API isn't complete enough.

Both these and other security features in template languages stem from a desire to prevent people from shooting themselves in the foot. However they implement this by taking away the gun and replacing it with a nerf gun. I believe that it is more empowering and liberating to teach people to use the gun properly. In the end this will make everybody more able to do their job without unneeded and unnatural walls based on ill-defined job descriptions.

One example of what can happen if you allow designers to program is jQuery. Some programmers may say that that is exactly what they don't want to happen, but jQuery has empowered many people to build things that they otherwise couldn't. It is the perfect example showing that people from diverse backgrounds can create useful tools if given the opportunity.

So next time when you feel the need to add a template engine, consider PHP and liberate your designers.

blog comments powered by Disqus