In Response to Fabien Potencier: Twig & PHP Templating

This evening I saw that the most excellent programmer, and lead of the the Symfony Framework: Fabien Potencier, had posted a new article on his blog about Templating Engines in PHP, and announcing a new templating engine: Twig

It’s a good article, and I highly recommend that you all go read it. But I took a few exceptions to some of his arguments against PHP as a templating language itself, I think he grossly undersold PHP-as-template in his enthusiasm to promote his new templating language that he created. This blog post is therefore simply a response to that. To that end, I’d like to start off with a few groundrules for my discussion:

1. Fabien’s ideas, and blog post, are solid.
2. Twig appears to be a great looking templating language
3. While I prefer PHP-as-template, I understand why, and when, using a templating language makes sense

So now, what specific points do I take exception to that he made? Lemme run through them each, in order he presented them:

Verbosity of simply echoing a variable

From his blog:

The PHP language is verbose. You need no less than 14 characters just to output a simple variable (and no, using the more compact <?= shortcut is not an option):
<?php echo $var ?>

Therein lies my first complaint. He’s taken away an option that many consider valid. Yes, it’s long been touted that using short tags, specifically the <? ?> version of them in PHP is considered bad practice. In fact, I agree with them on that specific point. But it overlooks a very common practice. Many developers while shunning the <? ?> shortcut for long blocks of code, still love, and use, the <?= ?> shortcut specifically for templates.

Why do they do this? Simply put, it’s extremely simple, and removes the common complaint that Fabien has brought up. In fact, it is so common, start asking developers and you will find many that cry: “They can pry <?= from my cold dead fingers.”. So common, that there are a number of people (including myself), who have been tossing around the idea of proposing a new option to the short_tags directive for PHP, allowing not just having them turned on or off. But allowing a 3rd option, that would enable <?= ?> while disabling <? ?>

When this is done, The PHP output very closely matches the Django that was used as an example:

Original:	<?php echo $var ?>
Short Tag:	<?= $var ?>
Django:	{{ var }}

Verbosity of output escaping

The article then also includes a discussion of how cumbersome it is to escape output in pure PHP, versus in most templating languages. I actually can’t directly disagree with this one, as even using short tags, you end up with the following comparison:

PHP:	<?= htmlspecialchars($var, ENT_QUOTES, 'UTF-8') ?>
Django:	{{ var|escape }}

The PHP version is ugly. So what am I arguing here? What I’m arguing, is that the complete premise is incorrect here. It shouldn’t matter how complicated it is to escape inside of the templating language, because you shouldn’t be escaping inside of your templating language.

That statement probably just sat wrong on some people. Afterall, the templating language is supposed to make things easy, right? Well, no. Templating languages are about separation of concern. And specifically in their one truly solid use case – allowing non-programmers to edit templates – are about separating the person editing that file, from any of the code.

Why then, would you trust the escaping of output, something that is vital to the safety and security of your website … to a non-coder who won’t understand those implications? The answer is: You shouldn’t. Therefore it is my opinion that you should be handling all escaping as needed before the data gets to your template. That’s the only way to ensure security. In fact, later in the page Fabien admits to this, stating:

For me, security should be enabled by default, especially for templates written by non-developers who are not necessarily aware of the common web threats like XSS or CSRF.

Now where Fabien and I disagree there, is that he believes the solution is just for the templating language to automatically escape everything. I personally dislike this approach, because indiscriminate or inappropriate escaping can cause just as many issues as not escaping in the first place. This is a tricky situation. Not one, IMO, to be left to chance. I therefore greatly prefer having the PHP code itself, handle escaping in appropriate ways. Leave that ‘code’ out of the templates.

Once you’ve taking the escaping out of the template (either via magic escaping or manual), the argument over ugly escaping, disappears.

Legibility of control structures

The argument stays again mostly in the realm of readability, and now turns to more advanced structures. He specifically gives an argument of an example that is very ugly in PHP:

    <?php if ($items): ?>
      <?php foreach ($items as $item): ?>
        * <?php echo $item ?>
      <?php endforeach; ?>
    <?php else: ?>
        No item has been found.
    <?php endif; ?>

PHP is a great toolkit, which means there are always a half dozen ways to do anything. That’s great IMO as far as a templating language because it means that I have different options to make something as legible as possible. No matter what. In the above situation, Fabien has taken what is a small control structure with very little text, and written it in, probably, one of the most ugly ways possible to drive the point home. Quite possibly unintentionally. Most programmers would have written that as something like:

    <?php
        if ($items) {
            foreach ($items as $item) {
                echo "* {$item}\n";
            }
        } else {
            echo "No item has been found.\n";
        }
    ?>

That’s not only much more readable than the original version to a programmer (and one might argue to anyone), but I even find it more legible than the (granted, smaller) version of this that Django provides, because of having an ‘else’ statement that can be applied to a for loop, from Fabien’s example:

    {% for item in items %}
      * {{ item }}
    {% else %}
      No item has been found.
    {% endfor %}

Now I realize that I’ve stated that I found it more legible, and I also talked about how a programmer would rewrite this. I realize at this point, I’m starting to cross paths, since didn’t I just say that the one real use-case of a templating language, was for non-programmers? Well yes, and that’s true. But realize that there are other even simpler ways to have accomplished the above. Such as a common trick of separating storing a $noItemsMessage variable if, in fact, no items existed. Allowing it to just be directly output instead of as part of the overarching if/else.

But really, this now leads directly into the next point:

Complexity of language

Fabien talks then about a number of different points, specifically referring to other templating languages, about how they are not powerful enough in many ways. He goes on to give a good example of the power of Django, showing examples of template inheritance, as a way that it mimics class structure inside of the templates.

This is more a failing of other languages, since you can directly mimic Django’s functionality via the use of a few variables and include files, I’ve done it many times. But overall, I think again we start to miss the point and start to run into the other problem when we start discussing templating langauges.

Discussions of creating inheritance, or complicated foreach w/ else statements, seem somewhat moot to me. Afterall, wasn’t the original goal again to have non-programmers writing these templates? Suddenly these are sounding like a programming language altogether. In fact, they are. It’s the common curse of the templating language. It starts as simple. But as people need to perform more complicated tasks for more complicated templates for more complicated websites, the needs of the templating language grows, and suddenly it’s become it’s own programming language, and becomes too complicated for a non-programmer to use, without learning basic programming skills

This point, is where, in my past, serious discussions have happened within organizations over “So who should really be writing these templates now?”.

So now let’s get down to a hard statement by me. It is my own personal opinion, that if you using a templating language, you shouldn’t be doing anything complicated. That defeats the purpose. If people are going to be learning to write code, they should learn PHP and become helpful. Or the control of the templates should pass into the hands of the programmers. And if the templates are in the hands of the programmers, having PHP as your templating language means nothing new to learn, for anyone.

It’s a vicious cycle, I realize, but I keep coming back to it. In general, you should always keep as much code out of your template as possible. There are always ways to structure data to make the template simpler. If you are taking the bulk of logic out of your template therefore, then having a complex language doesn’t matter. (Though, PHP should meet all your complexity needs that you could ever want anyway)

A valid point

So it appears that I’ve completely picked apart Fabien’s article, but I hope that you don’t see it that way. He makes some good points. There are arguments for using his, or any, templating language. But as I started off saying, he seemed overzealous in coming up with good examples, instead of trying to put them on equal grounds.

There is; however, one extremely valid point that he had. What few templating languges offer you, and PHP definitely doesn’t, is sandboxing. The ability to block the template code from doing certain actions. Accessing data it shouldn’t, calling functions that are inappropriate, etc.

If you are in a situation where you absolutely have to let templates be edited by untrusted sources, and being published unvalidated. (Such as letting users of a website edit templates on the fly) Then yes, you absolutely need to find another option besides PHP-as-template

Upcoming Conferences

I’m going to be doing a fair bit of traveling in the near future, and wanted to point out a few stops along the way:

PHP|tek Conference

May 19 – 22 — Chicago
I’ll be presenting two talks:  Highly Scalable Web Applications and The Knight Rider Methodology to Software Development.  I also plan on participating in the Hack-a-thon that is being held one evening, for people to sit down and together work on enhancements to various Open Source projects, such as Zend Framework or Phergie.

Dutch PHP Conference

June 11 – 13 — Amsterdam
At DPC I’ll be giving the same talk as at PHP|tek: Habits of Highly Scalable Web Applications, plus a new talk: Code & Release Management.

Looking forward to hopefully seeing a few of you there!

Zend’s new Community Guy

Well, this seems to be the worst kept secret in the PHP community by the mumblings that have been going on.  So I think it’s time to confirm it.

I’ve been offered a position at Zend, and accepted it.  The official (lengthy) job title is Zend Community Manager/Leader & DevZone Editor-In-Chief.  The short form to many people would be:  “The job formerly held by Cal Evans“

I’m extremely excited about this opportunity to work with Zend and to have the focus of my daily job to be working with the PHP community which I dearly love.  I know that any attempt to fill Cal’s shoes will be met with failure, so I hope instead to come up with my own twist on the position and to give it my best.

The job is one that wears many hats, but can be very roughly boiled down to:  40% engaging with the community, 30% writing & soliciting articles for DevZone, 10% coding, 10% podcasting, and 10% communicating information back to Zend from the community.

My first day at Zend will be January 19th.  I’m sorry to leave TravelPod behind as they are some great people; however, they understand this position is a once in a lifetime opportunity and that I don’t want miss it.

Seven Things

So it seems I’m not immune to internet/blog meme’s, and there is currently a game of “tag you’re it” going on in the PHP community.  People are stating seven interesting or obscure facts about themselves, then tagging seven different people to do the same.  Well, I was jointly tagged by both Wez Furlong and Ben Ramsey … so I guess I better not disappoint, and keep the game alive:

So seven things about me:

1. I’m extremely active in the Society for Creative Anachronism (SCA for short).  It’s a medieval reenactment organization that focuses on pre-1600 life.  In the SCA I’m known as Lord Siegfried Sebastian Faust and I dress in the form of a 16th century Landsknecht (German mercenary).  I have many sub-hobbies inside of the SCA, including full contact sword fighting, archery and brewing (beers, wines, meads & ciders).  I also volunteer a fair bit of my time to helping run the organization to that others can enjoy it as much as I do.
2. While many folks know that I’m a beer aficionado, what’s interesting is that I didn’t get into beer until later in life.  My first exposure to beer was back in college when I was handed some VERY cheap beer.  Generic store brand, 25 cents a can.  It was horrible, and I never wanted to touch the stuff again.   Every couple of years, I’d try something that someone handed me, and it would end the same way.  Until one fateful Christmas many years after I had graduated college.  My company at the time did a Yankee Swap, and I ended up with a Guinness & Bass Black & Tan kit, with beer, glasses, and the magical spoon.  I decided that since I got it, I was going to enjoy it.  I sat down one evening to make myself a Black & Tan.  I tentatively took a sip, and it was good!  I then sampled each beer separately, and found that I adored Guinness.  And therefore, my love of good beer (especially Stouts & Porters) was born.
3. I have a full woodworking shop in my basement that I use to make medieval replica crossbows, or whatever else I feel like making (such as my poker table)
4. I grew up with my wife.  We met in kindergarten where I didn’t like her because we lined up by height to go anywhere, and she was the only person in class taller than me.  In 8th grade I wrote a letter asking her to a dance but never delivered it.  Then in High School we ‘traded rings’ on a football game band trip (we were both in the marching band).  We then dated all through High School and college, and got married after graduating college.
5. My very first computer was a Texas Instruments TI-99/4a (just like Marco), and I loved writing ‘adventure’ games for it.  I later upgraded to an Apple ][c and was an Apple fanboy until the early Macintosh line came out.   Now many years later, and thanks to OS/X, I’ve returned back to Apple fanboy-dom
6. I’m extremely addicted to Video Games and usually play a little every night after both son & wife are in bed.  I’ve been playing ever since I was 3 years old and we got a Sears Pong Machine.  I even won a Doom Tournament back in college (and I had a failed attempt at becoming a professional gamer at one point, turns out that while I might have been good, other people were GOOD).  I currently have sitting in my house an Xbox 360, Nintendo Wii, Nintendo Gamecube, Sega Dreamcast, Nintendo NES, and an Atari 2600.  I also admit to caring a bit too much about my Xbox 360 Gamer Score.
7. While the current roundness of my belly doesn’t show it, growing up I had an affinity for sports.  I played baseball & basketball for my school teams as well as golf.  I was a 4 year Letterman in Varsity Golf in High School & Captain of the Golf Team.

so now, I have to tag 7 people that I want to see make a Seven Things writeup myself, So many people have already been tagged that it’s up to me to find some PHP diamonds in the rough … so in no particular order:

• Stephane Daury – @stephdau – PHP Geek who will probably mention skateboarding
• Owen Byrne – @owenbyrne – Digg coder #1 who has moved onto other things (including photography)
• Luke Welling – @lukewelling – Who will regale us of horses in his Austrailian accent.
• Andrei Zmievski – @a – We must hear from the infamous White Russian!
• Dylan Richard – @detour1999 – Coder extrordinaire for Threadless, and fellow guy who understands the need for truly 2X t-shirts.
• Harper Reed – @harper – Dylan’s boss, ’nuff said
  
• Lauren Cooney – @lcooney – MSFT-ite who is working hard to embrance the PHP community there.
  

and the rules of this ‘game’ for those that I have tagged:

• Link your original tagger(s), and list these rules on your blog.
• Share seven facts about yourself in the post – some random, some weird.
• Tag seven people at the end of your post by leaving their names and the links to their blogs.
• Let them know they’ve been tagged by leaving a comment on their blogs and/or Twitter.

Also, they are trying to keep track of all this this madness over at PHPDeveloper.org, so check there for a list of who has done it, and who is slacking.

PHPAdvent entry: Commenting on Commenting

Today’s blog post brought to you by PHPAdvent    I was asked to contribute, and so did, polishing off a post I had planned for my own blog and submitting it to PHPAdvent instead.

It’s all about commenting & documenting your code, and you should go read it at the PHPAdvent website.

Interviewing Programmers

As anyone who reads this blog knows, a few months ago I went through the process of finding a new job.  That of course included a number of interviews.  Which got ‘interviewing’ on my mind and encouraged me to write this article.  Now, months later, I finally got around to it.

I’ve interviewed my fair share of programmers over the years, and I find personally that how you interview a ‘junior’ versus ‘intermediate’ versus a ’senior’ programmer needs to change.  Specifically in regards to one topic.

What’s that topic?   It’s giving a coding test (as well as just whether you ask coding questions in the interview)

I personally find that asking a coding test of junior programmers is a GREAT tool for helping to evaluate them.  Typically just a very simple test, a basic CRUD application.   Looking at what they create not only gives you insight into how they think and code (did they do MVC?  a simple single .php file?  handle web security? etc).  It also gives you a great starting point to begin discussions with them in person, asking them about why they did (or didn’t) do certain things.

It’s also worthwhile to go into great depth with junior folks just to make sure that they understand some basics of programming.  Recursion?  Object Oriented? etc.

That starts changing somewhat when you start interviewing folks who are more at an intermediate level.  At the that level, asking for the coding test is fine, but I like to offer for them to instead just provide some code they’ve written before if they wish.  From looking at their code, you may come up with a few directions that you want to guide the discussion with them in an interview to understand certain parts of their knowledge.

This completely switches over in my mind when it comes to interviewing a senior person.  Someone who is ’senior enough’ (use your own definition) should have their experience speak for them enough that there is no reason to ask for a code sample, let alone giving them a coding test.  Typically looking at their experience and asking them a number of probing questions about their experience should rapidly inform you if they know what they are talking about.

Now that’s not to say, that if after doing an initial interview, if something seems fishy, or if you are concerned about their experience, then go ahead and ask for a sample/test after the fact to dig deeper.

But my point is this, when interviewing for senior candidates, you should be spending time researching their experience, their history, what they’ve publicly done, presentations/articles/etc they’ve done and more.   You should take the effort to learn enough about the candidate that it should make most questions about their ‘coding skills’ a moot point, and leave you instead asking more about bigger picture questions, and to see how well they fit within your team.

Also I highly suggest that any coding test you give be a ‘take home’ test.   Let them take their time to do the problem in their own environment.   Asking someone to do a live coding test in front of you is asking for failure.  Are you going to be standing over them watching their every keystroke when they are working for you?  no?  Then why would you test them in that environment?  It doesn’t give a good indication at all as to how well they code (and the style in which they code) when given the freedom to do so.

Programming Certifications

UPDATE: I have left the original blog post intact below, but I wanted to make a clarification on my position here, as many conversations that I have had with people about this blog post (my most controversial) have led me to believe that many people who read this misunderstand my point.  I’ll take the blame on not being clear enough.

To summarize as quickly as possible, let me say that certifications are certainly useful personal gauges to see if you can pass the test or not (especially when offered free, I hold a number of BrainBench certifications because of that – note that they are not listed on my resume), I also understand that many companies do require or desire them, especially in the government sector.  That’s fine.

My primary point was that I personally do not feel that a certification is a good indicator of “How skilled of a programmer is this person”, but that experience & having a conversation with the person dictates that.  So yes, if I have a pile of 200 resumes in front of me, and I need to quickly narrow it down to 10 to call first, those that prominently display their certifications instead of letting their experience stand out, tend to get sorted into the ’second rung’ category.  And that simply applies for the companies I’ve worked for, the job descriptions that we had, and the types of positions & work we were doing.  Everyone should always try to tailor their resumes to the specific job that they are applying for.

The original article follows in it’s entirety:

---

As it stands, I’ve shocked more than my share of people in the past when I’ve mentioned my stance on certifications for programmers.

Specifically, that when I have a pile of resumes in front of me, and I’m giving them an initial pass to sort them apart, I take any that mention their programming certifications, and sort them to the bottom.

Why?  Simply put, I find that programming certifications are essentially useless.  More to the point, I find that typically the people who list certifications on their resume as part of their qualification for the job, are obviously not qualified.  Afterall, had they been qualified in the first place, why would they need a certification to prove it to me?  Their experience should speak for itself, and the interview should weed out anyone with fake experience.

Some have argued that I shouldn’t hold certifications against people, and I have to point out, that I don’t.  I only hold it against the person, if it’s listed on their resume, specifically if listed as part of their qualifications.  IMO, that all comes down to tailoring your resume for the job you are applying to.  If you are applying to a ‘big corporate entity’/'government’/etc, then sure, perhaps you need to include it because you know they are looking for it.   But that’s not the types of places I have worked for.  If you are applying to a ‘cool place that understands technology & programming’, then you should leave those certs off of your resume entirely.

So what is it that’s so wrong with the certifications in the first place?   Simply put, they prove nothing to me.  They only prove that you could cram and pass a multiple choice test.  I understand and am all for certification programs in other fields than programming.  Especially fields where what is being done must follow certain guidelines (civil engineering), or in general is much more of an exact science than an art (electrical wiring).

But the problem is, that programming at it’s core, is an art.  It’s figuring out ways to work around issues.  It’s finding bugs when the website is down.  It’s understanding the ‘right or wrong’ ways to write a section of code, while also understanding that there are a dozen right ways, and 3 dozen wrong.  None of that, does a certification test.

There is also the fact that a certification doesn’t take place in a programmer’s environment.  When a programmer is at work they have their dev machine which is configured just how they like it.  They have reference materials handy.  They have a compiler/interpreter to tell them when they messed up.

Knowing in the blink of an eye what the order of parameters to explode() are, doesn’t measure your ability as a programmer, at all.

And worse, is the fact that quite often the fact you ‘passed’ a certification doesn’t even mean you did all that well on a test.  Passing can involve much failing.  See the graphic that I have posted with this story, it’s a screenshot from a practice test for the Zend Certification exam for PHP.  Note that the person who took the test failed Security, Database, Design, Arrays, and Basic Language skills.

Yet, they passed the overall test, and would be a ZCE (Zend Certified Engineer).  This goes to the point, just because someone passed just enough questions on a certification exam to pass it … doesn’t mean that they are a good programmer or even that they know some of the most basic skills needed to become a good programmer.

It just means they were able to pass a test (which they may have taken many times before they did)

Conferences, TravelPod & Travel

Well I realized today that I haven’t blogged since I accepted my new job at TravelPod.  (Even though I have 7 blog posts hanging back in draft form).  So I decided to break the silence.

So far, the job is excellent, challenging, and keeping me very busy.  Of course, I’ve had my share of other things to keep me busy as well, namely travel.

I just returned from ZendCon 08, which, as always, upholds a high level of quality.  It’s one of the best PHP conferences every year.   This year I gave two presentations, my standard “High Performance PHP & MySQL Scaling Techniques“, and a brand new one titled: “The Knight Rider Methodology to Software Development“.  Both were well received and the Knight Rider one was standing room only.  That may have been due to all the Knight Rider clips I was showing during the talk

I currently don’t have any future conferences that I’m committed to yet, though there are a number that I’m considering.  I do know that I’ll be making some trips to Ottawa (to visit TravelPod) and Boston (to visit TripAdvisor).

Oh, and I was invited to attend a Microsoft PHP Summit in Redmond in November and I’m really looking forward to it.  I’ll get to chat with MSFT and other PHP notables about things that the PHP community could use (in general, and from MSFT).  As well as hear what things MSFT may have planned.

I no longer work at digg.com

Well I originally announced this information on July 1st via twitter: http://twitter.com/EliW/statuses/847974862

However it seems right that I do so now here on my blog in more than 140 characters.

Though, the tweet mostly says it all.  As of July 1st I was no longer a Digg employee.  Digg and I mutually parted ways.   I really did have a blast at Digg (even if there were some very frustrating times there, but what job doesn’t have those?).  I feel very proud to have been an integral part of helping to build what has truly become a major brand on the Internet.

I have to say, it was in fact pretty cool having someone else be awestruck just because of the company that you work for.  In fact I’ll relate a little story.  My wife is a Project Manager for the Army.  One day she was over talking to her Tech Support team about some work issue.  Somehow the topic of Digg came up.  She mentioned that her husband worked for Digg.  She says that everything suddenly got quiet, and that the next words spoken were:  “Dude, he’s like a programming rock star!”

Those words, and similar situations, will be hung on my virtual mantle.  Right beside my 3″x3″ square piece of the Hubble Space Telescope Solar Array that I have, as fond memories from previous jobs.

I do wish to thank Digg for the great years, for the great friendships (which I hope will continue), and especially for the amazing opportunity to be part of something special.

Eli

PS.  Anyone hiring?

Heading to php|tek

I’m at the airport and getting ready to head to php|tek 2008 in Chicago.  I’m giving two talks there:  “Help, my website has been hacked, now what?“   and   “High Performance PHP & MySQL scaling techniques“

The usual slate of great PHP presenters will be in attendance such as Ben Ramsey, Chris Shiflett, and well, just too many other folks to list.   The highlight I’m sure will be Terry Chay’s closing Keynote: “The Internet is an Ogre“.  In fact, I made sure and took a late flight home on Friday just so that I can be there for it.

Looking forward to a great conference and hoping to see some of you blog readers there.   Find me, and we can chat over a Goose Island Honker’s Ale in the hotel bar.