PHP and HTML – When Separating Them is Counterproductive

htmlPHP

Understanding that it is less load on the server to not have to parse HTML, when does it work the other way, as far as server performance.

The majority of my Web sites are database-driven – often the same cosmetic structure with entirely different information. Separating the HTML, which is minimal compared to the PHP involved, does it come to a point where excessive calls to PHP defeat the performance gained by separating the two? I am totally aware of the possibility that I do not totally understand how PHP processing takes place. I am listing two examples below.

Unless I am misunderstanding how PHP works, in this little bit of code, I am making 5 calls to PHP, whereas the second is only one.

(Please excuse the old mysql. This was just a convenient example)_

Separate

<div class="Filters">
   <?PHP
   $Result = mysql_query( --- Complex query --- );
   if(!$Result){$Error[] = "Database Error! [4]";}
   else
   {
      $L = mysql_num_rows($Result);
      $CatItems[] = "All";
      while($C=mysql_fetch_array($Result))
      {
         $CatItems[] = $C['Cat'];
      }
      sort($CatItems);
      $a = $L%2 == 0 ? (int)($L/2) : (int)($L/2)+1;
      ?>
      <div class="2Col">
      <?PHP
      for($x = 0; $x < $a; $x++)
      {
         ?>
         <div class="FilterItem">
            <div class="CriteriaSelect" data-cat="<?PHP echo($CatItems[$x]);?>"><?PHP echo($CatItems[$x])?/>
            <div class="FilterCount">
               <?PHP  
               if($CatItems[$x] == "All"){$Rows = $ProgRows;}
               else
               {
                  $CCount = mysql_query( --- Complex query --- );
                  $Rows = mysql_num_rows($CCount);
               }
               echo('('.$Rows.');
               ?>
            </div>
         </div>
      </div>
   </div>

PHP Writing HTML

<?PHP
echo('
<div class="Filters">');
   $Result = mysql_query( --- Complex query --- );
   if(!$Result){$Error[] = "Database Error! [4]";}
   else
   {
      $L = mysql_num_rows($Result);
      $CatItems[] = "All";
      while($C=mysql_fetch_array($Result))
      {
         $CatItems[] = $C['Cat'];
      }
      sort($CatItems);
      $a = $L%2 == 0 ? (int)($L/2) : (int)($L/2)+1;
      echo('
      <div class="2Col">');
      for($x = 0; $x < $a; $x++)
      {
         echo('
         <div class="FilterItem">
            <div class="CriteriaSelect" data-cat="'.$CatItems[$x].'">'.$CatItems[$x].'
            <div class="FilterCount">');
               if($CatItems[$x] == "All"){$Rows = $ProgRows;}
               else
               {
                  $CCount = mysql_query( --- Complex query --- );
                  $Rows = mysql_num_rows($CCount);
               }
               echo('('.$Rows.');
               echo('
            </div>
         </div>
      </div>
   </div>');
   ?>

Best Answer

Your two examples are effectively equivalent – the PHP engine processes the entire file and interprets the outside HTML roughly as if it were a string that is printed out like in the second example. There is no extra overhead. And if there is any overhead, it is insignificant compared to actions like waiting for a database response, or negotiating an encrypted HTTPS connection.

The real answer though is “neither”. While PHP was originally developed to allow small PHP snippets to be inserted into an (otherwise normal) HTML file, this is now considered unmaintainable and even dangerous. For example, notice that you fail to perform HTML escaping of the output you are echoing. If someone can insert a string of their choice into the database, they could perform an XSS attack.

For these reasons, the current best practice is to use a separate template engine to render the HTML contents. Most template engines escape by default (so are secure-ish by default), and require you to opt out of escaping if you really have a variable that contains verbatim HTML. For example, the PHP Symfony web framework uses the Twig template language.

Nobody has paid for "random advertisements" since 1998.

Serving random advertisements is a useless endeavor. How valuable are feminine product advertisements on sites aimed at men, or vice a versa. I would say they have negative value to me as an advertiser. Doing more sophisticated ad delivery implies a much more sophisticated set of metadata about the viewer, that is for all purposes anonymous unless you are Google in 2012.

PHP and RDMBS for systems like this don't scale.

See what Mochigames did for their in house custom Ad distribution server solution. hint: it isn't PHP or traditional database based.

IP Addresses aren't good for anything other than what they were designed for.

Tracking IP Addresses is the absolutely wrong way to approach this problem. IP Addresses are for routing to its location, nothing more. They are not a globally unique id, and are less than useless as such.

IP addresses aren't unique because of NAT.
IP addresses aren't unique because of spoofing.
IP addresses aren't unique because of anonymous randomizing proxies.
IP addresses are useless in detecting bot nets, the most common click fraud mechanism.
IP addresses are useless in detecting human nets as well.

Deep Pockets

Google and the other big players spend 10s of millions of dollars on this problem every year, maybe more. They can't stop it with all that money and Phd.s in pocket, I doubt some PHP and client side Javascript ( which by definition is useless ) would have any impact at all.

The only way to detect and marginalize click fraud is to apply very sophisticated machine learning algorithms ( this is where the Phd comes into play ) after the fact to look for very broad patterns of behavior ( this is where the money comes into play ) and have that algorithm adapt over time to become more accurate.

Some Click Fraud Acceptance is Inevitable

But even then you have to tune the results in favor of false negative, that is you have to be willing to accept some actual click fraud, because not paying for false positives would completely undermine your trust worthiness to your legit customers.

PHP Database Operations – Should Database Operations be in Separate Files

Should I separate and create a PHP file for insert and a PHP file to get results from the database?

First, you may separate your data access from the business logic by moving data access code to a data access layer. For instance, if the select boxes are populated with the list of countries, then you'll have to call:

$this->db->listCountries();

from your business logic instead of doing directly the PDO stuff and the actual select ... from.

The next step is to consider what should be done with the business logic which is processing the submission of the form. You might decide that this is totally independent from the code which populates the form, in which case a separate file makes sense; however, in most cases, you'll consider that both actions are related, and keep them in the same file.

From your question, I'm not sure how advanced you are in application architecture, so if you don't know the following concepts, make sure you learn them:

You may also be interested in using a framework (especially in PHP). Laravel looks promising and encourages you to use MVC.

I use require_once 'SELECT query file' to populate the select boxes

While including files with require_once is a viable approach, it may be difficult to maintain the list of files to include. What if you rename a file which is included in a few dozen of files? What if you forget to remove an include to a file you don't use any longer?

This is why often autoloading is used instead: with autoloading, you don't have to import anything manually, and it just works, magically. You may also be interested by PSR-4 (or PSR-0 if you don't use namespaces in your project).