"Paul M. Jones":http://paul-m-jones.com has "responded to my comments":http://paul-m-jones.com/blog/index.php?p=72 regarding "PHPSavant vs. Smarty":http://revjim.net/item/10170/.
First and foremost, I'd like to say that I'm quite impressed. I had read the documentation for "Savant":http://phpsavant.com/ and found a reference to a "basic compiler", but I had no idea that it would have as many features as this compiler does. I certainly didn't "try to set [Paul] up for this one", and I'm glad that he elaborated as much as he did.
The most impressive and interesting aspect of having a template engine that can operate in a mode where plain PHP is used is that means, as Paul points out, that "the compiler is separated from the core templating system. The 'best' or 'most useful' compilers can evolve separately from the core template functions." I say, the more separation the better, and having this as another layer just makes it that much more customizable and flexible. I can't count the number of times I wished that the Smarty syntax for something could be made to look just a little bit different than it does for specific applications.
All of that being said, I decided to look over the basic compiler bundled with Savant. While it certainly does have many of the features that Smarty does, and just about all of the important or most often used features, it is lacking in one area: *security*. The bundled basic compiler offers very little protection in the way of keeping users from doing what we're using a compiled template to keep them from doing in the first place: executing arbitray PHP code. With this compiler, a user could easily execute any PHP statement desired simply be misusing the plugin tag, not to mention variable interpretation, and even the flow logic statements. As it is, the template compiler doesn't even come close to providing the one thing that it should provide above all others: again, security.
But, in making this determination, I've really looked into the Savant codebase. I'm quite impressed. Not only does having the compiler exist in a pluggable and separate fashion from the template engine itself make perfect sense, the code inside of Savant is better structured and much cleaner than Smarty's code base.
Paul is dead wrong about one thing, though: with a more secure template compiler at its core, there is NO reason to use Smarty whatsoever. Savant is cleaner, probably faster, and every bit as featureful. With the added separation and flexability an independant compiler buys you, using Savant with a secure template compiler provides you with everything you had in Smarty, and then some.
If you think it doesn't provide what you're looking for, you aren't looking hard enough. Let's say you want… templates stored in the database. Great, make a compiler that uses the template location passed to it to determine which template to load from the database and do just that. If you need to then compile that template, you can do so right there, either in a method in that class, or with the help of another compiler.
I think that it might benefit Savant greatly to allow you to register compilers by name. In other words, instead of loading a compiler all inclusively, it would be nice to be able to associated a compiler with a prefix. Say I write a compiler that mimics Smarty's syntax. Then, instead of loading that compiler directly and all inclusively, it would be nice if I could, instead, load it with the name "smarty". Then, any request for the template named "smarty://whatever/here/there.tpl" would be passed through the smarty compiler. Of course, you can make do without this feature, but, that doesn't seem like a lot of overhead and it sure would be useful.
Regardless of that, I'm on a quest now to write a better Savant Compiler. If I can do it without too much effort, then you should see the fruits of my labor in a few days and you'll have a convert on your hands.
Thanks again, Paul.
