digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

Defining CSS Constants Using PHP

tylerhall.ws — Tyler Hall has come up with a clever way to streamline edits for CSS constants (same styles repeated in different ids and classes) using PHP.

Bury
show profanity settings
expand all
  • avfguy, on 10/12/2007, -0/+0brilliantly simple and very useful - thanks!
  • tylerhall, on 10/12/2007, -0/+0I just got an email from a fellow digger. They suggested adding support for nested stylesheets. For example, you could add the line

    $$include = 'path/to/file.css'

    which would include and parse another stylesheet.

    I'll work on getting that feature added soon :)
  • bonzooznob, on 10/12/2007, -0/+1Read about it before, but a sweet idea, for sure.
  • tylerhall, on 10/12/2007, -0/+1New version is available. Let's you do nested css imports.
  • geminitojanus, on 10/12/2007, -4/+0Just waiting for someone to find a way to apply a buzzword to this and make it the next best thing since sliced bread or Ajax.
  • keesj, on 10/12/2007, -0/+0I have used this technique in the past, don't really understand what all the fuzz is about. Well, actually I always use instead of just $mainTextColor. I don't like all the parsing stuff in css.php. Add some caching-stuff I will use it :)
  • wilhelm, on 10/12/2007, -0/+1The method suggested in the article is not particularly useful. Just group your classes like this:

    .myStyle, .anotherstyle {
    color: rgb(13,37,42);
    }
  • instabil, on 10/12/2007, -1/+1Warning: There are two major security issues with this script. I will not post them here though. Please contact me if you are the author of the script.
  • msodrew, on 10/12/2007, -0/+0this is very VERY basic...

    although i don't know how experienced the digg crowd is.
  • instabil, on 10/12/2007, -0/+1It's also very dangerous. Don't use it!
  • mojo.ash, on 10/12/2007, -0/+0Why dangerous? I believe you can't have to sacrifice caching(client) ability of that stylesheet...
  • instabil, on 10/12/2007, -0/+0It's dangerous if you use it. You've been warned. I'll tell you why later when the script is fixed. Don't want anyone to hack this blokes page. But for gods sake don't use this script.
  • m94mni, on 10/12/2007, -0/+0What about this in a file called "style.php"?


  • arizonagroove, on 10/12/2007, -0/+0I've seen php generated css files before, but doesn't this prevent the browser caching the stylesheet?
  • instabil, on 10/12/2007, -0/+3Is this convincing enough?

    http://www.tylerhall.ws/blog/2005/12/dangerous+script
  • dolbex, on 10/12/2007, -0/+0We do this on our site as well. Its completely customizable color scheme by the user:

    http://www.mlgpro.com
  • sxtxixtxcxh, on 10/12/2007, -0/+0wow, that's pretty convincing... yay for injection :D
  • instabil, on 10/12/2007, -0/+0Well. I just don't want anyone to get in trouble because of this script. :P
  • automagically, on 10/12/2007, -0/+0@instabil
    I'm really curious how you did that!
  • instabil, on 10/12/2007, -0/+0Automagically: I'll tell you guys when he has fixed his page. Don't want everyone to have full access to his blog.
  • m94mni, on 10/12/2007, -0/+0Better way:

    http://www.barelyfitz.com/projects/csscolor/
  • instabil, on 10/12/2007, -0/+0m94mni: Yeah. That's a nice way.
  • AKX1, on 10/12/2007, -0/+0I have made something like that some time ago...

    http://www.devever.net/pegercer/akx/cssext/
  • sxtxixtxcxh, on 10/12/2007, -0/+0instabil: totally understand what you're saying.

    i think his script is overly complicated, and clearly you can see why that's bad.. :P
  • instabil, on 10/12/2007, -0/+0sxtxixtxcxh: It's always dangerous to copy other peoples code. =)
  • sxtxixtxcxh, on 10/12/2007, -0/+0m94mni: that IS much better.

    everything the dugg link wants to accomplish could be done using your link: http://www.barelyfitz.com/projects/csscolor/ minus all the extra calls to the server and filesystem. the ability to automatically generate hues is handy, but in this context, unnecessary. i may end up using it though ;)
  • sxtxixtxcxh, on 10/12/2007, -0/+0instabil: it's not the copying; it's the ignorance wherein the danger lies.
  • instabil, on 10/12/2007, -0/+0sxt: That's true. Most people new to PHP never realizes the dangers of bad coding. Tyler Hall seems to be of average experience. He is at least trying to patch the XSS-flaw.
  • galaxie, on 10/12/2007, -0/+0yeh, quite a security flaw indeed.... 'imreally' hoping he gets in touch with someone to figure out what it is.
  • benjaminr, on 10/12/2007, -0/+0who didn't think of that already
  • sathia, on 10/12/2007, -0/+0phpmyadmin uses this from years...

  • forgiste, on 10/12/2007, -0/+0Why don't you contact him and tell him what's wrong with it?
  • euphoria, on 10/12/2007, -0/+0Aww, I figured it out. Cool. Too bad the playground is down.
  • instabil, on 10/12/2007, -0/+3I just got an email from him, so I guess it's safe to explain now:

    There are two obvious security issues with this script:
    1. Deleting "http://" from strings won't stop XSS-attacks because php
    also uses https, ftp and ftps.
    2. If a hacker wanted he could for example go to the page:
    http://tylerhall.ws/css.php?file=blog/wp-config.php
    and read the php-code. Not very nice.

    Solutions:
    1. set the allow_url_fopen to false using the ini_set function before
    executing the script
    2. a little trickier but this would be a solution.
    example:
    css.php?file=wp-admin
    and in the php:
    $cssFile = $_GET['file'] . ".css";
  • cmer, on 10/12/2007, -0/+0Soooo late... and it's on the frontpage! :( Minus 10 diggs.
  • instabil, on 10/12/2007, -0/+0The script is OK now.
  • lumpy, on 10/12/2007, -0/+0Not only is this pretty basic, and begging to be raped but I don't see the point. If I use a color across my site I define it in one css file and I am done with it. If I ever need to change it I change it in that file and it changes across the site. Why would I ever need to add the php engine into the mix? If I need to do something localized I look at if it will need to be used again or a one off and if I should add it to the master style sheet or do in line for a one off item. It's a nice idea but I think it overlooks the basic benefits of css. He has some skills not trying to bash but really dont get it.
  • tylerhall, on 10/12/2007, -0/+0Thanks for all the comments. Yesterday this story had 14 diggs. I wake up this morning and I have 43 new emails and it's on the front page! Talk about a code review.

    As per (many) people's suggestions, I've updated the script to fix the security hole. Anyone see any other problems?

    /wipes egg off his face
  • instabil, on 10/12/2007, -1/+0Tyler: A little credit would be nice. My name is not Digg it's AndrĂ© :P
  • ruidlopes, on 10/12/2007, -1/+0this is play stupid. just use html's support of multiple classes within any element!!
  • thewizsps, on 10/12/2007, -0/+0For what it's worth, I have used this kind of method in past. It's cool, but said sites have also run into the 10's of millions of hits each month. A big thing that you can easily miss if you aren't careful, is that when you do a parse like this on a main css stylesheet every time the page displays, make sure you have a pretty decent server :) Oh and, yes I also agree that the script given is a bit insecure. Cheers though, for doing cool stuff with PHP and CSS to make less work!
  • Shen, on 10/12/2007, -1/+1Isn't this really, really obvious? This sort of stuff gets covered in the first chapter of any PHP tutorial.

    It's not like this is the only way to do it, either, why not he configure his editor to insert it for him?
  • a1programmer, on 10/12/2007, -0/+1Yes, this will prevent the css from being cached. css.php will be the most downloaded file on his server! haha.
  • CoconutBoy, on 10/12/2007, -0/+0Why parse it when you can use instead?
  • CoconutBoy, on 10/12/2007, -0/+0Ach... I meant <?= $blue ?>
  • saintwanker, on 10/12/2007, -0/+0old news.
    no digg.
    still interesting though
  • Iriel, on 10/12/2007, -1/+1I didn't dig this because of how the script works for css actually (because it actually go against a lot of what css tries to accomplish). I just dugg it because of Andre's valuable lesson in PHP security practices. If anyone knows of some good resources on that in plain english, please post them.
  • vstarre, on 10/12/2007, -2/+0***** duh. You a not a unique and wonderful individual. This goes beyond "obvious" and flows right into "the purpose of using PHP"


    "If you think it's so obvious, why didnt you come up with it?"

    I did. I just didnt make a web page /about/ it, because it was not "an idea I had" it was "a direct application of what PHP is designed to be used for"

    Though I don't use this (You can't even call it a technique) because various browsers cache differently (= ***** up from it)
  • tylerhall, on 10/12/2007, -0/+0"Yes, this will prevent the css from being cached. css.php will be the most downloaded file on his server! haha."

    No, it won't. Before the script sends the css to the browser it sends a header telling the browser to cache the file just like it normally would :)
  • jkearney, on 10/12/2007, -0/+0this is retarded and pointless.
  • Fetching more discussions...
    Show 51 - 86 of 86 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.