I was looking at templating systems for php, and I’ve come to believe that pure php code seems to be the solution I want to use.

I’m the lone developer, so there’s no designers who need a nerfed arena to work in. Template engines like smarty seem to suffer from the “Inner-platform effect”. If I stick with good practices ( pre-computed values, use only foreach ), I think this will work.

My goal is to have a single source for the string of the html shared by each page. My thought is that a separate php file, accessed via include, is a good way to meet this goal.

However, I’m concerned that that might pose a security hazard for the site — I can’t think of anything specific at the moment, but someone could guess the name of the template and request it directly, perhaps exposing something they needn’t see. (I suppose I could put in a check to see if it itself is the request.) I have a hunch this could be bad, so I don’t want to go ahead and do it, create what I feared would happen, and then throw that work away.

If a separate file is not the best idea, what else should I use to basically store a string for the whole site? A string constant in an include, that I could use in sprintf()? A function that returns the html string from arguments of the page-specific html parts?