Let me start of by saying that MySQL is very fast and very secure. I recommend building the pages with MySQL upon request, most web applications do this because its a very good approach. To save resources you can cache the output using a Squid Reverse Proxy, and it is very common to see this on high traffic sites. PHP’s APC will also reduce resource consumption without sacrificing secuirty. Smarty’s Caching system is also a good approach with minimal security impact.

There are secuirty concerns regardless of what method you choose, but some approaches more hazardous than others. For instance creating .php files with user input is probably the most dangerous thing you can attempt to do with a php web app.

$page='$title="'.$_GET['user_title'].'"';
file_put_contents("/var/www/page.php",$page);

An attack against this code would look like this:

http://localhost/page_creater.php?user_title='; eval($_GET[backdoor]); /*

Creating XML files with user input is also dangerous because it opens the door for Advanced LFI Attacks. However, the counter argument is that as long as your application is free from Local File Include vulnerabilities, then you shouldn’t have to worry. But this is not a “Defense in-depth” design, because you should plan on failure.

Its possible to implement something like Squid’s reverse proxy in php using ob_start(), however your still creating files with attacker controlled data, and that is hazardous. Also don’t include() .html files that’s incredibly stupid (See advanced LFI attacks…), a better approach is this: print(file_get_contents($file)). I do like using .html files over using .xml files because html doesn’t have to be processed before outputting it to the user. Using xml files as a data storage is wasteful of resources when compared to MySQL.

(Disclaimer: Vulnerabilities have been found in Smarty and squid, and php, and linux, and mysql and apache and…. everything else, even StackOverflow 😉