Output Buffering: Easy way to make string out of HTML-Code

Question

I'm currently using Chatfuel to open the index.php-file of my website which sends the user the html code into his browser. There he can register and set up his account. An example URL might look like this:

https://my.domain.com?key_value='123456789'

Depending on if that user is a new or a existing one, I wanna present him with a different form. In order to check so, I do a simple query to the MySQL db and see if the passed on key_value is already in the db and safe true or false to a boolean. Stating the obvious: If hes not an existing user, the 'empty' form with no values should show up. If he is registered he should see the information he filled in from last time.

My idea: At the top of my index.php I do the check whether he's an existing customer or not (Note: This is working already). Then I want to use outputbuffering to alter the html-code depending on the boolean, before it is sent to the client.

My problem: I developed the blueprint of the website in plain html (see code below). And OB only catches it as output if its within a string. Since I use " as well as ' in the document the string gets interrupted every few lines. Is there a simple workaround to this? Because the OB function is unable to access anything within the <html>...</html> tags. Or do i need to use redirecting after the check (in my index.php) and create a separate form + script for both edit customer data and add new customer data?

<?php

//Connection stuff


// Prepare statment: !TODO: string needs to be escaped properly first
$query_string = "SELECT * FROM tbl_customer WHERE unique_url = '$uniqueurl'";
$query_rslt = mysqli_query($conn, $query_string);

if($query_rslt == FALSE)
{
    // Failure
    echo "<br> Oops! Something went wrong with the querying of the db. " . $conn->connect_error;
    //Handle error
}
else
{
    if ($query_rslt->num_rows > 0)    
    {
        // Set boolean
        $existing_customer = TRUE;

        // Create an array called row to store all tuples that match the query string
        while($row = mysqli_fetch_assoc($query_rslt)) {
            //...
        }
    }
}

// Custom post processing function
function ob_postprocess($buffer)
{
    // do a fun quick change to our HTML before it is sent to the browser
    $buffer = str_replace('Testing', 'Working', $buffer);

    // Send $buffer to the browser
    return $buffer;
}

// start output buffering at the top of our script with this simple command
// we've added "ob_postprocess" (our custom post processing function) as a parameter of ob_start
if (!ob_start('ob_postprocess'))
{
    // Failure
    echo "<br> Oops! Something went wrong with output buffering. Check that no HTML-Code is sent to client before calling this start function.";
    // Handle error
}
else
{
    // Success
    // This is where the string should get accessed before sending to the client browser
    echo "Testing OB.";
}

?>

<!--DOCTYPE html-->
<html lang="en">
    <head>
        <meta charset="utf-8">
        //...
</body>
</html>

<?php

// end output buffering and send our HTML to the browser as a whole
ob_end_flush();

?>

Output: "Working OB."

EDIT: I added source code example. This code won't compile.

Show some example code where you handle that plain html string and the string or file contents with that html. You'll get better answer, because the problem you're asking to solve probably started earlier than it has stopped you and solution to go further will be patching the mistake instead of removing it. — shudder, Sep 02 '18 at 05:20
The code is added. The function you're asking for is `ob_postprocess`. It's currently just a placeholder for the manipulations that will be done with the real html code (once it's working). It's passed as parameter to `ob_start('ob_postprocess')` and sent to client as soon as `ob_end_flush()` gets called (see code comments or [object buffering](http://web.archive.org/web/20101216035343/http://dev-tips.com/featured/output-buffering-for-web-developers-a-beginners-guide)). What do you mean by "the problem I'm asking..."? I didn't get that part sorry. — Half_NO_oB, Sep 02 '18 at 19:35
Can't you just read your html in from a file via `file_get_contents()` ? Since you probably want to put in dynamic values from a DB call or whatever at some point, use tokens or place holders and just run it through a series of calls to one of the string replace functions — ivanivan, Sep 02 '18 at 19:39
Well, so you're suggesting that I escape the strings like Cik Irvan in his answer below states and then put it into a variable called content? Or would this code `$form_content = file_get_contents($file_name,FALSE,NULL,62,157);` do the trick (meaning it will automatically escape my html code)? I will put some reasearch into this. Ty fth(int) : unintended wordplay — Half_NO_oB, Sep 02 '18 at 21:36
The only problem is that string replacing hack which could be replaced with straight forward variable display (you may use array of strings & escaping function with empty string fallback if array key does not exists). Is that where you have trouble with quotes? Trying to replace part of output with hardcoded html strings? — shudder, Sep 02 '18 at 22:05
I didn't get the first part of what your saying tbh. What do you mean by straight forward variable display? But yes im trying to replace parts of the output of a php-file. And the code to be altered is in "hardcoded" html. I found a downloadable demo for `file_get_contents()` and will play around with it to see if i can reach desired result. Sorry I just started with php or web development in general 2 weeks ago. Can you further explain what you mean by that first part? — Half_NO_oB, Sep 03 '18 at 00:00

Irvan Hilmi · Answer 1 · 2018-09-02T04:52:12.663

0

Since, i can't comment, so i'll put some of my question here.

I dont really get the point, but give me a try, are you mean escaping string? you can use backslashes \ to escape string.

Like this "select from ".$dbname." where id = \"".$id."\"".

You can easily using addslashes($var) before adding the variable to the sql. like this

$id = addslashes($_POST['id']);
$sql = "select form db where id = '$id'";

If you mean checking the existent of the user to select which form to show in the page, why dont you do this?

if(userCheck()) {
  ?>
    // here write the html code if user passed
  <?php
} else {
  ?>
    // here write the html code if user not passed
  <?php
}

You can put userCheck() as global function or whereever you place it, as long as you can use it when you want to check the user before showing the form.

edited Sep 02 '18 at 04:52

answered Sep 02 '18 at 04:46

Irvan Hilmi

378
1
4
16

This just might do the trick already. Did a quick research on [string escaping and what it does](https://stackoverflow.com/questions/10646142/what-does-it-mean-to-escape-a-string) and it looks like the thing I need. Altough it will be bothersome to manually add backslashes to the few hundred lines of html... – Half_NO_oB Sep 02 '18 at 19:14
The thing is, the forms are very similar. For now users will be unable to edit their CC information because it is safed and handled using API. The rest of the form will be identical (besides one holds the read data from the db in the form fields). Doing the `userCheck()` thing will create a huge index.php file and every changed made to the html most like needs to be done twice. I'm not familiar with php and its best practices but this appears to be very messy for a long term solution. – Half_NO_oB Sep 02 '18 at 19:19
After testing, this is the easiest way to it. If it's just a few cases at least. However, in a large "hardcoded" html-document this will take hundreds of mutations. Which you could easily do with the replacement function of your text editing tool ofc. But code would be messy. And we don't want that. The hint on escaping strings gave me a direction and people should really know about it. I will edit the question and add my solution once i got some sleep. Thank you. – Half_NO_oB Sep 03 '18 at 08:07
but the userCheck() can be putted in other file like you create a new `check.php` that included to `index.php` or using `object` like `classes`. – Irvan Hilmi Sep 04 '18 at 08:29
You could definitely do so. But what's the point in doing that? Splitting up code and improve reusability? Any other advantages? Please proof your point. – Half_NO_oB Sep 04 '18 at 17:58
Sorry wait a momment. – Irvan Hilmi Sep 05 '18 at 04:28
Cause you said you will make a huge `index.php` by adding `userCheck()`. The point is, oke let's say, if the html form, putted on a file named `form.php` or inside a function `function form()` or even inside a `method` of an `class` you only need to modify it once. Why, cause when you need the html form you can just call the file or the `function` or the `method` – Irvan Hilmi Sep 05 '18 at 04:36

score 0 · Accepted Answer · answered Sep 03 '18 at 20:03

tl;dr: The thing I was looking for was a combination of file_get_contents() and object buffering.

file_get_contents() returns a string of a plain html-file of your choice. I could post a ton of explanation here or simply link you to phppot.com. The article offers you a directly executable demo with source (Download here). In case you wanna try it with a html file of yours, simply change the file path.

So once the whole html was converted into a string, I used the postprocessing function of OB to alter the string (= basically my html) if it's an existing user that came to alter his data. Then all the html-code (in a string still at this point) is sent to the client using ob_end_flush(). I will put up the actual code asap :)

Output Buffering: Easy way to make string out of HTML-Code

2 Answers2