In my pursuit for financial independence I’ve been taking on random freelancing gigs from some really smart and interesting clients. One of the more respected clients I work with has been using Expression Engine for their main platform for years, and while I was initially skeptical, I’m beginning to believe there is potential for Expression Engine to be a useful tool too. There’s just one little thing; it’s possible to create a debugging nightmare pretty easily.

Expression Engine is built by the same company who put together pMachine, one of my favorite blogging software from back in the day, so I had some pretty high hopes for it. Then I started reading some off the cuff comments about Expression Engine, especially in comparison to my mortal enemy Dolphin CMS, and I started getting a little nervous. Then, when I started seeing how the flow worked, my head almost exploded.

See, all the style and creative stuff is stored in the database. Because Expression Engine has it’s own meta templating language (similar to Smarty in syntax and style; to me anyway) all the templates are available and ready for anyone to make modifications to. On top of that, Expression Engine allows for the inclusion of custom php inside of the stored template files which gets executed with the dreaded and evil “eval()” tag.

Confused? Me too. To help clear things up here’s a snippet of Expression Engine templating code:

{assign_variable:my_weblog="default_site"}
{assign_variable:my_template_group="site"}
{embed="global/header"}
Page Content Here.

It should be pretty obvious what the code above is doing, but because I get a lot of shit for not being verbose (I’m looking at you Reddit), here’s what’s happening:

1. A variable called “my_weblog” is being created with the variable “default_site”.
2. A variable called “my_template_group” is being created with the variable “site”.
3. The header template file is being included.

Not so bad right? I didn’t think so either but there’s also the inclusion of raw php. The below is perfectly valid to do in Expression Engine (assuming the “Allow PHP in Tempaltes” setting is enabled):

<?php
$my_weblog = 'default_site';
$my_template_group = 'site';
include 'global/header.php';
?>

The above is a translation of the Expression Engine code by the way (if you hadn’t picked up on that). This, too, isn’t bad per se, but it does break a few very important rules which I’ll get into in a moment. Annoying and sort of dangerous? Absolutely. But I can see where the appeal lies in allowing this sort of functionality (and, yes, even if you have to use eval() to do so).

That being said, my head almost exploded when I saw how the logic was laid out when mixing both the Expression Engine template tags with php functionality. Keep in mind that Expression Engine has a setting that allows you to set when in the processing flow you want the php to be executed. If that sounds confusing just know that in the below example the Expression Engine stuff is executed before the php code.

Here’s what I mean:

{exp:query sql="SELECT name FROM exp_freeform_entries WHERE entry_id = '1'"}
<?php
$name = '{name}';
?>

The above simply grabs the name from the table and then sets it up for use by php. Once again, perfectly valid usage it would seem, though the more astute people will immediately see the issue.

Since Expression Engine executes the template tags first this is kind of a snap. The thing is though there’s no escaping going on there. The above will work great when the value of name is something like Eric or John but what if the value is “Eric O’Reily”?

Yeah; it’s gonna break with a parse error. But worst of all when it does break the error message you’re going to get is going to reference the call to eval() and not the actual template file. This is going to make debugging a bit of a bitch. On top of that, there’s no native method to escape anything within Expression Engine itself. So adding the usual call to addslashes() isn’t possible.

So, while Expression Engine is pretty snazzy and nice it isn’t without it’s pitfalls. Mind you, the escaping issue isn’t impossible to avoid; it’s more a question of design than anything. It is something that needs to be watched out for because, yeah, doesn’t seem there’s going to be a change anytime soon.