I was reading up on trying to get Mono, mod_Mono and Apache 2 to work together, but it's quite a difficult endeavour because it requires extensive configuration and I'm working in the dark -- the documentation doesn't seem to work on my server and no one is responding in IRC that can help).

Now, I'm reconsidering whether to use ASP.NET or PHP5 for the 100th time.

So then I searched through this forum for mentions of ASP.NET, and I came across Simon Parzer's blog about ASP.NET and he says that ASP.NET is bad because .NET/Mono will eventually spill out messy, 'final' source code for the web pages...

But on the developers side (which I think is more important), it is very clean because the code can be placed in the back-end file and you can connect with the web page by using the IDs of HTML/ASP.NET objects.

Also, what I much like about ASP.NET is the "master page" feature... When I was making an adhoc website for myself with PHP5 not so long ago, the closest thing to doing that was with

include("php/header.php")
<-- web page -->
include("php/footer.php")

That's not quite desirable because it's means that those pages have to be half-complete and I'd need to make assumptions about those header/footer files.

*Is there any way to make PHP5 clean?
*Why would ASP.NET's automagically generated code matter?
*Is Apache Tomcat a remotely feasible solution?

Another thing, people say "PHP is unstable and has bad security" and others say things like "I've heard that ASP.NET has security problems". But they don't give any specifics...

You can make clean PHP websites, but you'll need to invest in a framework.

What do you usually do for your clients?

What have you done for Allegro.cc?

I hear good things about CakePHP (http://en.wikipedia.org/wiki/CakePHP) as a framework. But if you don't really mean a complete framework then something like the Pear (http://en.wikipedia.org/wiki/PHP_Extension_and_Application_Repository) wrapper classes might be what you want. Or if it's just a templating system then Smarty (http://en.wikipedia.org/wiki/Smarty).

For mine I just wrote my own templating/db system that does most of what I want.

For a templating system, I recommend PHPTAL.

I use Serendipity for my blog, which uses Smarty. I've customized the templates a bit, and it does its job pretty well. No problems with it so far.

That's about all I can give you, though. I'm a fledgling web developer.

My website isn't exactly pretty, and it's probably offline most of the time because my router is playing up periodically, but I have a basic header written out, I simply call a function, generate_header("home page"), and it will generate a header with "home page" written across the top. You can put all sorts of information in the parameters. Same for the footer. If you're thinking of a 'commercial' style website, I'd advise against my method. I'd also advise against the commercial-style altogether as it always seems too complicated. Sites like A.cc and Google are obvious and simple, but still look nice. Sites like Maplin's have too many images, take forever to load, and are difficult to use the first time as you have no idea where anything is.
Just my thoughts.

I hope you weren't trying to use mod_mono for .NET 2.0. So far, only the 1.1 version is usable.

I've worked a lot with both ASP.NET and PHP. I made two web applications using ASP.NET and one homepage+CMS (not counting my private homepage and some small projects) using PHP.

My blog post is a bit dated now, I wrote it when I started with ASP.NET, I could only see the disadvantages and not the benefits back then. Of course the end result (HTML+JavaScript code) is much worse using ASP.NET, but especially when you consider writing a web application it saves you a huge lot of work. There is a reason behind the fact that many companies use ASP.NET.

The most impressive thing, is probably that you can make an application that displays data from a database table, allowing the user to modify, delete and add entries without writing a single line of code in ASP.NET.
To do the same thing in PHP you need a lot of knowledge about the API and whatnot. What bothers me, though, is (as already mentioned) the result of ASP.NET. When I develop a page in PHP I know what the HTML output will look like. On ASP.NET you end up with chunks of code like this, which have only one purpose: to hold the framwork together:

Also, if you try some of the more complex features of ASP.NET you will inevitable stumble over some bugs and quirks in the implementation (ie. concerning the ViewState). PHP in turns is pretty stable and nearly everything works as expected (I discovered a bug only once, it disappeared after upgrading to the next version of the interpreter).

To draw a conclusion, it's a matter of taste what you use. If you like WinAPI, Windows Forms or .NET you will probably choose ASP.NET. If you want to do a complex web application without thinking too much, you will choose ASP.NET (or JSP), too.

But if you want to do something from scratch, implementing the entire thing yourself, you want to use PHP. Or Perl. Or Python. Maybe Ruby. Yeah, or something else. If you want to make a homepage where most of the content is static, you don't want to use ASP.NET, because it gets in your way.
While ASP.NET implements a framework with a lot of classes, PHP only gives you the basic functions: Date/Time, DB access, DOM, XML, ... You need to know what you're doing, but you have a lot more control.

Oh, and there is always the last option: plain HTML.

Anyway, what do you want to make? A private homepage?

Yes. Although I really doubt that anyone would visit my site, I'd like to make a forum (just for the heck of it) and a news page...

Also, there would be a showcase of any games that I make or that friends make, as well as a whole set of web pages dedicated to a any single game if it is good enough which contains game info and news.

I would actually have serious reservations about doing a web site in ASP.NET simply for the reason that it has pathetic time zone support. I.e. it has none. You can shift dates by arbitrary amounts, but in terms of time zones, you can convert from local to UTC, or from UTC to local. Nothing else.

Without using a PHP framework, is there any other clean way to code in php?

Right now, I do things like:

<h1><?php print("$header"); ?></h1>

With the PHP and HTML interleaved, but none of this:

<?php print("<h1>$header</h1>"); ?>

Should I just copy + paste the header and footer code into each web page?

A system that Drupal uses, and they call it "phptemplate" works like this:

<?php
// phptemplate.php

function get_template($filename, $params)
{
    ob_start();
    include $filename;
    return ob_get_clean();
}

?>

// index.tpl
<html>
<head>
<title><?php echo $args["title"]; ?></title>
</head>
<body>
<?php echo $args["body"]; ?>
</body>
</html>

This way you can do things like this:

$pageData = get_template("pages/thread.tpl", $posts);
echo get_template("layouts/index.tpl", array("title" => "Viewing Thread", "body" => $pageData);

It's pretty versatile and allows you to keep the header and footer in one place.

I think that I may have it, thanks to Guilt in IRC.

I'm thinking that my web pages could just be like this:

<html>
    <head>
        <title>Archon's Page</title>
    </head>
    <body>
        <div id="header">
            <?php include("php/title.php") ?>
        </div>
        <div id="navigation">
            <?php include("php/nav.php") ?>
        </div>
        <div id="content">
            
All of my stuff can go here!
        </div>
        <div id="footer">
            <?php include("php/footer.php"); ?>
        </div>
    </body>
</html>

I'll also have to include the css stylesheet at the top... But, it's actually a bit more stable because I don't have to create half-complete webpages, the title.php, nav.php and footer.php could be just blocks of webpages as opposed to being a necessity.

What do you all think?

That's sloppy, I personally used to use that setup and it grows very messy. You should separate logic and code. I usually use Smarty, because I can get my HTML setup and keep it separate, passing in my page data.

Also, after scrolling up in IRC, I saw a discussion on using JS/AJAX to make the site. My advise on that: don't overuse JS. Only use it where you need it, and do everything else server side.

I generally do it like that too. Not because I think it's the best, but because it's the best the I've thought of to do it. I've never been completely satisfied with any method I've used.

[edit]And by that "that" I meant the way Archon described... I think I violated some pronoun-antecedent relationship rule.[/edit]

I second BAF's suggestion. A template system like Smarty is just the thing you need.

It'll probably take some time to get used to, though.

If you're just making a simple site, then don't get carried away over the elegance of it. PHP is great for simple things, regardless of how you use it. (And other than the ugly syntax you have to live with, it is great for larger things too ... if you can discipline yourself.)

If you're interested in doing at least one thing right, then I would use a template system. Personally, I never found one that I liked, so I wrote my own. So naturally, mine is the best one out there, but since it's not available, that won't help you.

Smarty is probably the most widely used. I don't like it because it's so horribly written. You can not do complicated expressions because its parser is as lame as can be. For instance, you cannot put two variables through the same filter unless you first assign them to another temporary variable. (You might be able to with backticks, but at some level it breaks down...) Mine lets you do things like {(x y)|filter} to pass two variables through. Smarty has a lame math tag: {math equation="(( x + y ) / z )" x=2 y=10 z=2} With mine you can just do {(x + y) / z}, and so on. And on top of it all, Smarty is just another mini language that knows nothing about HTML...

PHPTAL does things better, but I never liked how everything was attribute defined. I cannot really comment much on it because I never used it in a project. Mine is a mix between PHPTAL and Smarty.

But regardless of your preference of template engine, you should be aiming for one thing: separating "business" code from presentation. If you can do that well, your site will be cleaner than most other PHP ones.

I'm actually making a system that allows me to create a page that could be stand alone, but is really a template page in itself (it's the caller page, so to speak) and the framework will load the code for the page, and combine it with the site template (or directory, depends on my configuration in the end)

So the index page would look like this:

<html>
<head><title>Home</title></head>
<body>
<p>Welcome to my page!</p>
</body>
</html>

And the rest of the stuff in the main template looks like this:

<!DOCTYPE ...>
<html ...>
<head>
<title>Site title<!--{command to control how title strings are cancationed}--></title>
...Stylesheet(s), Javascript file(s), and any other stuff in the head tag that is used by the whole site...
</head>
<body>
...Tags for the page header...
<div id="content"><!--{mfs-body}--></div>
...Tags for the page footer...
</body>
</html>

But my system I plan on being able to grow in the long run. I just didn't want includes in my templates if it was possible. That's why I did it this way.

What do people say about ASP.NET?

The only unbiased problems that I've been given is that mod_mono doesn't work for 2.0 yet and the problem with timezones.

At the moment, I may give the idea that I presented a go first before truly looking at templates with PHP.

Ok, so first off, I'm biased: I'm somewhat of a microsoft fan boy. I like being able to debug my server side code, and my client-side javascript all from the IDE -- also I'm told you can debug SQL Stored Procs all from the same IDE which is mega cool, but I've only seen it done.

Master pages, and codeless database stuff are both only in 2.0+ so I'm guessing he does want to use 2.0.

My advice, if you're going to use ASP.NET, host it on a windows box; mono isn't production ready for web servers. It doesn't even have 2.0, and 3.0 is supposed to be comming out of beta in about six months (javascript debugging is so damn cool!), and ASP.NET AJAX isn't supported by it either (requires 2.0) -- basically you're just going to miss out on all sorts of everything badass with mono. Also, if anything bad happens on your microsoft server box, I'm to understand that microsoft covers your ass in court for legal fees up to $2M. Or was it 2B? I always get that number mixed up.

Also, it has been mentioned in this thread that the asp.net framework get's in your way for the occasional nitty gritty, but really, you can do things to tell the framework not to render (notably: me.Controls.Clear() -- it gives you a completely blank page and you can build the output yourself) -- you can even gain direct control to the page headers (not the html part, but the HTTP stuff), etc. -- IMHO you only need to do nitty gritty things occasionally or write a few functions here and there to get around all of it.

So really if you wanted access to all of the deep down dirty stuff: it's there.

That's exactly what it comes down to. It doesn't mater if you use PHP, ASP, RUBY, etc -- write clean code. Seperate your code into tiers of Application Framework, Business, Database Logic, Presentation and you'll be coding like a pro. Writing the code isn't the hard part, it's making it clean, maintainable, documented, and killing it's bugs that's the real hard part.

piccolo: ASP.NET doesn't use VBSCRIPT -- it uses Visual Basic.NET! -- It's very different from VBSCRIPT.

Like user controls?

Time Zones are a non-issue -- you just convert any local time to UTC and then offset it by the TimeZone you want -- I'm pacific, I think that's -8? So Just MyTimeInUTC.AddHours(-8) (If I remember the syntax right)... If you really wanted a class that knew if it was UTC or local, you could just write one that inherits DateTime and has a boolean, and some built in ToTimeZone(x) functions, etc.

Also, File Uploads are a breeze in .NET, server side image processing/production are easy (you have access to GDI+, alpha blending, resizing (bicubic, bilinear, nearest pixel, quality/speed settings, etc)) you have access to sockets, ping, you can dowload files from other URLs to the server in single commands, built-in ajax, web-services that serialize and desearialize .NET objects automagically/transparently -- it's all just plain amazing.

I thought ASP.NET could use C# too...

Anyway, have you ever tried to set up mod_mono? It's absolute hell. I tried to play around with it, but there is no "universal" setup like with PHP. No... you have to specify special directories for EVERY vhost (which, on my test box, wouldn't work well because I have vhost_alias setup).

Yeah, you think you have the timezones right, but if they change (like... this year), you have to update your code to cope. Not to mention you have to deal with time zones supporting and not supporting DST, as well as half hour time zones.

OK. I'm getting PHP5 (again) mostly because of the large range of sources and books that are available. I still really like ASP.NET though.

The problem I have is that I'm using a minimal Ubuntu set up within a virtual environment and I'm not too familiar with its workings since I run Gentoo as my primary distro (and I much prefer Gentoo to any other distribution that I've tried). The thing about Ubuntu(Debian) is that I can't seem to properly uninstall packages -- the configuration files seem to stay in the system. To make my installation 'organised' again is to start over.

VBScript is evil! VBScript is used in ASP whereas ASP.NET uses .NET languages, such as Visual Basic .NET and C#[.NET]. I use ASP/VBScript at work right now and I hate it. Simple things don't always work and it's very unpredictable at times... However, PHP is pretty cool and I think I'd love to try ASP.NET.

I've written a PHP website including a small CMS without seperating code and presentation. At all. ~3500 lines of code. It's the typical PHP site where the average PHP file consists of 50% code and 50% "echo" output commands. It has been running for more than a year now and I never had problems finding bugs or maintaining it.

Use aptitude.
apt-get remove --purge <package> to remove the config files.
aptitude purge <package> to do the same with aptitude.
Aptitude does what apt-get can't. It maintains constraints. So, if you install Package X which automatically installs Y and Z and then remove X three years later, aptitude will remove Y and Z, too.

One piece of advice: Use .php extension on all include files. This way, it is impossible to read the php code in them even if requested directly. Suppose an include file contains a database username and password; if the extension is .php, the server will happily execute it, setting two variables and outputting nothing - and the client reads an empty page. If the extension is something else, the server will treat it as plain text and send it through http as-is; the client can then read your database login.

A template system isn't that hard to do really. All you need is an index page that loads the content pages based on an input variable (either from $_GET or from $_REQUEST). Just don't forget to validate. It can be as easy as:

Then put the doctype, header, stylesheet reference and whatnot, into 'head.php', a closing </body></html> into 'foot.php', and make every link say something like '?page=foo.php'.

Better advice: don't put your code in the web root.

Even better: Make them .php AND put them somewhere that's not the web root. And protected through .htaccess.

From a security standpoint, you should get it out of your head that naming your file in a particular way somehow gives it more security. Just because one directory on the system is configured to execute files with a .php extension doesn't mean others are. Especially when those others lie outside of the web root: if someone manages to get access outside of that, they have bypassed Apache's configuration already.

In fact, once you leave the web root, I'd say the most likely path to hacking comes from the local machine: someone with access to the file system browsing around. In those cases, I'd wager that naming your files with .php would make them more likely to be found. If that scenario seems unlikely to you, then consider how unlikely the idea that a file outside of your web root is accessed in the first place.

As a side note, if it's outside the web root, protecting it through htaccess won't do any good, since it's outside the web root: Apache won't parse the file anyways (since Apache won't serve the file, though, it doesn't make a difference).

Now, since naming your templates with a .php extension gives them marginal security benefits if they're stored in the webroot, and doesn't cause any problems either way, why not do it anyways? For the same reason you use a for loop instead of a goto statement. Sure, both ways will work, but in the end one looks neater and tells you more information about what the construct does. Likewise, why not name all the image files on your server with a .img extension? Both ways will work, but in the end one gives you more information about what the files are.

By "putting them outside the web root", you mean:

var/www/website/root
var/www/website/root/imgs
var/www/website/root/css
/var/www/website/code

Where the root directory is

/var/www/website/root/

?

Ideally, yeah. Then you simply have a single go.php file that you map your URLs to, and that file passes control to the application handlers which lie outside of your web root.

The simplest way to achieve this is using mod_rewrite. In this example I don't have the ability to change my web root, so I use mod_rewrite to mask it.

Then I use this mod_rewrite rule set:

RewriteEngine on
RewriteRule ^$ engine/Cx.php [L]
# Translate path into the webroot if not already done
RewriteRule !app/webroot/ - [C]
RewriteRule (.*) app/webroot/$1
# If file doesn't exist in webroot then use Cx
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* engine/Cx.php

The first rule sends the index page to my engine. The second and third rules translates paths into the app/webroot/ directory. The third rule checks if the given path (now translated into the webroot directory) exists. If it does not, it hands the URL to my engine.

Using this setup, I can place static objects into the webroot, and it will be clean of all code. Also, it is impossible^* to access any of the code.

^{* In any security discussion, absolutes such as "impossible" are assuming normal operation of the software involved, i.e. that there are no exploits in mod_rewrite or apache.}

even better idea, chroot apache or run ALL other services in a VM, only have ssh and security related tools running on the host (i.e.: snort, tripwire, denyhosts...), anything else, VM...and do rsyncs, and apply CGP's method as well.

of course it can, it can also use j#, or any other .NET language -- you can add your own languages of course (there are some wrappers that add LUA to .NET) -- and soon .NET will have ruby also ("IronRuby").

I don't really do anything with time zones, so I'm fuzzy here, but I remember getting an email from microsoft about their API operating differently now that the daylight savings times are different. So there is an API that handles time zones/daylight savings times that's built in -- I've just never used it -- or needed to.

"Compilers". They actually compile the language to CIL.

Like I said, it works for local time and UTC. No others. And it doesn't know what time zone local time is, it relies on Windows' knowledge of it.