Chapter 10. Extract Presentation Logic to View Files

When it comes to page scripts in legacy applications, it is very common to see business logic intertwined with presentation logic. For example, the page script does some setup work, then includes a header template, makes a call to the database, outputs the results, calculates some values, prints the calculated values, writes the values back to the database, and includes a footer template.

We have made some steps toward decoupling these concerns by extracting a domain layer for our legacy application. However, calls to the domain layer and other business logic within the page scripts are still mixed in with the presentation logic. Among other things, this intermingling of concerns makes it difficult to test the different aspects of our legacy application.

In this chapter, we will separate all of our presentation logic to its own layer so we can test it separately from our business logic.

For an example of embedded presentation logic, we can take a look at Appendix E, Code before Collecting.

Presentation Logic. The code shows a page script that has been refactored to use domain Transactions, but it still has some presentation logic entangled within the rest of the code.

Note

What Is The Difference Between Presentation and Business Logic?

For our purposes, presentation logic includes any and all code that generates output sent to the user (such as a browser or mobile client). This includes not only echo and print but also header() and setcookie(). Each of these generates some form of output. "Business logic," on the other hand, is everything else.

The key to decoupling the presentation logic from the business logic is to put the code for them into separate scopes. The script should first perform all of the business logic, then pass the results over to the presentation logic. When that is complete, we will be able to test our presentation logic separately from our business logic.

To achieve this separation of scope, we will move toward using a Response object in our page scripts. All of our presentation logic will be executed from within a Response instance, instead of directly in the page script. Doing so will provide the scope separation that we need to decouple all output generation, including HTTP headers and cookies, from the rest of the page script.

Note

Why A Response Object?

Often, when we think of presentation, we think of a view or a template system that renders content for us. However, these kinds of systems do not usually encapsulate the full set of output that will be sent to the user. We need to output not just HTTP bodies, but HTTP headers as well. In addition, we need to be able to test that the correct headers have been set, and that the content has been generated properly. As such, the Response object is a better fit at this point than a view or template system alone. For our Response object, we will use the class provided at http://mlaphp.com/code. Note that we will be including files within a Response context, which means that the methods on that object will be available to include files running "inside" that object.

Extracting presentation logic is not as difficult as extracting domain logic. However, it does require careful attention and lots of testing along the way.

In general, the process is as follows:

  1. Find a page script that contains presentation logic mixed in with the rest of the code.
  2. In that script, rearrange the code to collect all presentation logic into a single block after all the other logic in the file, then spot check the rearranged code.
  3. Extract the block of presentation logic to a view file to be delivered via a Response, and spot check the script again to make sure the script works correctly with the new Response.
  4. Add proper escaping to the presentation logic and spot check again.
  5. Commit the new code, push to the common repository, and notify QA.
  6. Begin again with the next page script that contains presentation logic mixed in with other non-presentation code.

In general, it should be easy for us to find presentation logic in our legacy application. At this point we should be familiar enough with the codebase to have a good idea where the page scripts generate output.

If we need a jump-start, we can use our project-wide search facility to find all occurrences of echo, print, printf, header, setcookie, and setrawcookie. Some of these may occur in class methods; we will address that at a later point. For now, we will concentrate on page scripts where these calls occur.

Now that we have a candidate page script, we need to rearrange the code so there is a clear demarcation between the presentation logic and everything else. For our example here, we will use the code in Appendix E, Code before Collecting.

First, we go to the bottom of the file and add a /* PRESENTATION */ comment as the final line. We then go back to the top of the file. Working line-by-line and block-by-block, we move all presentation logic to the end of the file after our /* PRESENTATION */ comment. When we are done, the part before the /* PRESENTATION */ comment should consist only of business logic, and the part after should consist only of presentation logic.

Given our starting code in Appendix E, Code before Collecting, we should end up with something more like the code in Appendix F, Code after Collecting. In particular, note that we have the following:

  • Moved variables not used by the business logic, such as $current_page, down the presentation block
  • Moved the header.php include down to the presentation block
  • Moved logic and conditions acting only on presentation variables, such as the if that sets the $page_title, to the presentation block
  • Replaced $_SERVER['PHP_SELF'] with an $action variable
  • Replaced $_GET['id'] with an $id variable

Note

When creating the presentation block, we should be careful to follow all the lessons we learned from earlier chapters about dependency injection. Even though the presentation code is a block within a file (not a class) we should treat the block as if it is a class method. Among other things, this means no use of globals, superglobals, or the new keyword. This will make things easier on us when we extract the presentation block to a view file later.

Now that we have rearranged the page script so that all presentation logic is collected at the end, we need to spot check to make sure the page script still works properly. As usual, we do this by running our pre-existing characterization tests, if we have any. If not, we must browse to or otherwise invoke the changed code.

If the page does not generate the same output as before, our rearrangement has changed the logic somehow. We need to undo and redo the rearrangement until the page works as it should.

Once our spot check is successful, we may wish to commit our changes so far. If our next set of changes goes badly, we can revert the code to this point as a known working state.

Now that we have a working page script with all the presentation logic in a single block, we will extract that entire block to its own file, and then use a Response to execute the extracted logic.

First, we need a place to put view files in our legacy application. While I prefer to keep presentation logic near the business logic, that kind of arrangement will make trouble for us in later modernization steps. As such, we will create a new directory in our legacy application called views/ and place our view files there. This directory should be at the same level as our classes/ and tests/ directories. For example:

/path/to/app/
1 classes/
2 tests/
3 views/

Now that we have a place to save our view files, we need to pick a file name for the presentation logic we are about to extract. The view file should be named for the page script, in a path under views/ that matches the page script path. For example, if we are extracting presentation from a page script at /foo/bar/baz.php, the target view file should be saved at /views/foo/bar/baz.php.

Sometimes it is useful to use an extension other than just .php for our view files. I have found it can be helpful to use an extension that indicates the view format. For example, a view that generates HTML may end in .html.php, while a view that generates JSON may end in .json.php.

Next, we cut the presentation block from the page script, and paste it into our new view file as-is.

Then, in place of the original presentation block in the page script, we create a Response object in our page script and point it to our view file with setView(). We also set up an empty call to setVars() for later, and finally call the send() method.

Note

We should always use the same variable name for the Response object in all of our page scripts. All the examples here will use the name $response. This is not because the name $response is special, but because this level of consistency will be very important in a later chapter.

For example:

foo/bar/baz.php
1 <?php
2 // ... business logic ...
3
4 /* PRESENTATION */
5 $response = new \Mlaphp\Response('/path/to/app/views');
6 $response->setView('foo/bar/baz.html.php');
7 $response->setVars(array());
8 $response->send();
9 ?>

At this point, we have successfully decoupled the presentation logic from the page script. We can remove the /* PRESENTATION */ comment. It has served its purpose and is no longer needed.

However, this decoupling fundamentally breaks the presentation logic, because the view file depends on variables from the page script. With that in mind, we begin a spot check-and-modify cycle. We browse to or otherwise invoke the page script and discover that a particular variable is not available to the presentation. We add it to the setVars() array, and spot check again. We continue adding variables to the setVars() array until the view file has everything it needs, and our spot check runs become completely successful.

Note

For this part of the process, it would be best if we set error_reporting(E_ALL). That way we will get a PHP notice for every uninitialized variable in the presentation logic.

Given our earlier examples in Appendix E, Code before Collecting and Appendix F, Code after Collecting, we end up at Appendix G, Code after Response View File. We can see that the articles.html.php view file needed four variables: $id, $failure, $input, and $action:

1 <?php
2 // ...
3 $response->setVars(array(
4 'id' => $id,
5 'failure' => $article_transactions->getFailure(),
6 'input' => $article_transactions->getInput(),
7 'action' => $_SERVER['PHP_SELF'],
8 ));
9 // ...
10 ?>

Once we have a working page script, we may wish to commit our work yet again so that we have a known correct state to which we can revert later, if needed.

Unfortunately, most legacy applications pay little or no attention to output security. One of the most common vulnerabilities is cross-site scripting (XSS).

Note

What Is XSS?

Cross-site scripting is an attack that is made possible by user input being sent back to the browser unescaped. For example, an attacker can enter maliciously-crafted JavaScript code into a form input or an HTTP header. If that value is then delivered back to the browser without being escaped, the browser will execute that JavaScript code. This has the potential to open the client browser to further attacks. For more information, please see the OWASP entry on XSS (https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29).

The defense against XSS is to escape all variables all the time for the context in which they are used. If a variable is used as HTML content, it needs to be escaped as HTML content; if a variable is used in an HTML attribute, it needs to be escaped as such, and so on.

Defending against XSS requires diligence on the part of the developer. If we remember one thing about escaping output, it should be the htmlspecialchars() function. Using this function appropriately will save us from most, but not all, XSS exploits.

When using htmlspecialchars(), we must be sure to pass a quotes constant and a character set each time. Thus, it is not enough to call htmlspecialchars($unescaped_text). We must call htmlspecialchars($unescaped_text, ENT_QUOTES, 'UTF-8'). So, output that looks like this:

unescaped.html.php
1 <form action="<?php
2 echo $request->server['PHP_SELF'];
3 ?>" method="POST">

This needs to be escaped like this:

escaped.html.php
1 <form action="<?php
2 echo htmlspecialchars(
3 $request->server['PHP_SELF'],
4 ENT_QUOTES,
5 'UTF-8'
6 );
7 ?>" method="POST">

Any time we send unescaped output, we need to be aware that we are likely opening up a security hole. As such, we must apply escaping to every variable we use for output.

Calling htmlspecialchars() repeatedly this way can be cumbersome, so the Response class provides an esc() method as an alias to htmlspecialchars() with reasonable settings:

escaped.php
1 <form action="<?php
2 echo $this->esc($request->server['PHP_SELF']);
3 ?>" method="POST">

Be aware that escaping via htmlspecialchars() is only a starting point. While escaping itself is simple to do, it can be difficult to know the appropriate escaping technique for a particular context.

Unfortunately, it is outside the scope of this book to provide a thorough overview of escaping and other security techniques. For more information, and for a good stand-alone escaping tool, please see the Zend\Escaper (https://framework.zend.com/manual/2.2/en/modules/zend.escaper) library.

After we escape all output in the Response view file, we can move along to testing.

Writing tests for view files presents some unique challenges. Until this chapter, all of our tests have been against classes and class methods. Because our view files are, well, files, we need to place them into a slightly different testing structure.

First, we need to create a views/ subdirectory in our tests/ directory. After that, our tests/ directory should look something like this:

/path/to/app/tests/
1 bootstrap.php
2 classes/
3 phpunit.xml
4 views/

Next, we need to modify the phpunit.xml file so it knows to scan through the new views/ subdirectory for tests:

tests/phpunit.xml
1 <phpunit bootstrap="./bootstrap.php">
2 <testsuites>
3 <testsuite>
4 <directory>./classes</directory>
5 <directory>./views</directory>
6 </testsuite>
7 </testsuites>
8 </phpunit>

Now that we have a location for our view file tests, we need to write one.

Although we are testing a file, PHPUnit requires each test to be a class. As a result, we will name our test for the view file being tested, and place it in a subdirectory under tests/views/ that mimics the original view file location. For example, if we have a view file at views/foo/bar/baz.html.php, we would create a test file at tests/views/foo/bar/BazHtmlTest.php. Yes, this is a bit ugly, but it will help us keep track of which tests map to which views.

In our test class, we will create a Response instance like the one at the end of our page script. We will pass into it the view file path and the needed variables. We will finally require the view, then check the output and headers to see if the view works correctly.

Given our articles.html.php file, our initial test might look like this:

tests/views/ArticlesHtmlTest.php
1 <?php
2 class ArticlesHtmlTest extends \PHPUnit_Framework_TestCase
3 {
4 protected $response;
5 protected $output;
6
7 public function setUp()
8 {
9 $this->response = new \Mlaphp\Response('/path/to/app/views');
10 $this->response->setView('articles.html.php');
11 $this->response->setVars(
12 'id' => '123',
13 'failure' => array(),
14 'action' => '/articles.php',
15 'input' => array(
16 'title' => 'Article Title',
17 'body' => 'The body text of the article.',
18 'max_ratings' => 5,
19 'credits_per_rating' => 1,
20 'notes' => '...',
21 'ready' => 0,
22 ),
23 );
24 $this->output = $this->response->requireView();
25 }
26
27 public function testBasicView()
28 {
29 $expect = '';
30 $this->assertSame($expect, $this->output);
31 }
32 }
33 ?>

Note

Why Use requireView() Instead Of send()?

If we use send() the Response will output the view file results, instead of leaving them in a buffer for us to inspect. Calling requireView() invokes the view file but returns the results instead of generating output.

When we run this test, it will fail. We rejoice, because the $expect value is empty, but the output should have a lot of content in it. This is the correct behavior. (If the test passes, something is probably wrong.)

Now we need our test to look at the output to see if it is correct.

The simplest way to do this is to dump the actual $this->output string and copy its value to the $expect variable. If the output string is relatively short, an assertSame($expect, $this->output) to make sure they are identical should be perfectly sufficient for our purposes.

However, if anything changes with any of the other files that our main view file includes, then the test will fail. The failure will occur not because the main view has changed, but because a related view has changed. That is not the kind of failure that helps us.

In the case of large output strings, we can look for an expected substring and make sure it it is present in the actual output. Then when the test fails it will be related to the particular substring for which we are testing, not to the entire output string a a whole.

For example, we can use strpos() to see if a particular string is in the output. If the haystack of $this->output does not contain the $expect needle, strpos() will return a boolean false. Any other value means the $needle is present. (This logic is easier to read if we write our own custom assertion method.)

1 <?php
2 public function assertOutputHas($expect)
3 {
4 if (strpos($this->output, $expect) === false) {
5 $this->fail("Did not find expected output: $expect");
6 }
7 }
8
9 public function testFormTag()
10 {
11 $expect = '<form method="POST" action="/articles.php">';
12 $this->assertOutputHas($expect);
13 }
14 ?>

This approach has the benefit of being very straightforward, but may not be suitable for complex assertions. We may wish to count the number of times an element occurs, or to assert that the HTML has a particular structure without referencing the contents of that structure, or to check that an element appears in the right place in the output.

For these more-complex content assertions, PHPUnit has an assertSelectEquals() assertion, along with other related assertSelect*() methods. These work by using CSS selectors to check different parts of the output, but can be difficult to read and understand.

Alternatively, we may prefer to install Zend\Dom\Query for finer manipulation of the DOM tree. This library also works by using CSS selectors to pick apart the content. It returns DOM nodes and node lists, which makes it very useful for testing the content in a fine-grained manner.

Unfortunately, I cannot give concrete advice on which of these approaches is best for you. I suggest starting with an approach similar to the assertOutputHas() method above, and moving along to the Zend\Dom\Query approach when it becomes obvious that you need a more powerful system.

After we have written tests that confirm the presentation works as it should, we move on to the last part of the process.

At this point we should have passing tests for the page script and for the extracted presentation logic. We now commit all our code and tests, push them to the common repository, and notify QA that we are ready for them to look over the new work.

We continue to search for presentation logic mixed in with business logic in our page scripts. When we have extracted all presentation logic to view files via Response objects, we are done.

In the above examples we paid attention only to output from echo and print. However, it is often the case that a page script will also set HTTP headers via header(), setcookie(), and setrawcookie(). These, too, generate output.

Dealing with these output methods can be problematic. Whereas the Response class uses output buffering to capture echo and print into return values, there is no similar option for buffering calls to header() and related functions. Because the output from these functions is not buffered, we cannot easily test to see what's going on.

This is one place where having a Response object really helps us. The class comes with methods that buffer the header() and related native PHP functions, but do not call those functions until send() time. This allows us to capture the inputs to these calls and test them before they are actually activated.

For example, say we have some code like this in a contrived view file:

foo.json.php
1 <?php
2 header('Content-Type: application/json');
3 setcookie('baz', 'dib');
4 setrawcookie('zim', 'gir');
5 echo json_encode($data);
6 ?>

Among other things, we cannot test that the headers are what we expect them to be. PHP has already sent them to the client.

When using a view file with a Response object, we can prefix the native function calls with $this-> to call a Response method instead of the native PHP function. The Response methods buffer the arguments to the native calls instead of making the calls directly. This allows us to inspect the arguments before they are delivered as output.

foo.json.php
1 <?php
2 $this->header('Content-Type: application/json');
3 $this->setcookie('baz', 'dib');
4 $this->setrawcookie('zim', 'gir');
5 echo json_encode($data);
6 ?>

Note

Because the view file is being executed inside the Response instance, it has access to $this for the Response properties and methods. The header(), setcookie(), and setrawcookie() methods on the Response object have the exact same signatures as the native PHP methods, but capture the inputs into a property for later output instead of generating output immediately.

We can now test the Response object to check the HTTP body as well as the HTTP headers.

tests/views/FooJsonTest.php
1 <?php
2 public function test()
3 {
4 // set up the response object
5 $response = new \Mlaphp\Response('/path/to/app/views');
6 $response->setView('foo.json.php');
7 $response->setVars('data', array('foo' => 'bar'));
8
9 // invoke the view file and test its output
10 $expect_body = '{"foo":"bar"}';
11 $actual_body = $response->requireView();
12 $this->assertSame($expect_output, $actual_output);
13
14 // test the buffered HTTP header calls
15 $expect_headers = array(
16 array('header', 'Content-Type: application/json'),
17 array('setcookie', 'baz', 'dib'),
18 array('setrawcookie', 'zim', 'gir'),
19 );
20 $actual_headers = $response->getHeaders();
21 $this->assertSame($expect_output, $actual_output);
22 }
23 ?>

Note

The Response getHeaders() method returns an array of sub-arrays. Each sub-array has an element 0 indicating the native PHP function name to be called, and the remaining elements are arguments to the function. These are the function calls that will be made at send() time.

Many times, a legacy application will have a view or template system already in place. If so, it may be sufficient to keep using the existing template system instead of introducing a new Response class.

If we decide to keep an existing template system, the other steps in this chapter still apply. We need to move all of the template calls to a single location at the end of the page script, disentangling all of the template interactions from the rest of the business logic. We can then display the template at the end of the page script. For example:

foo.php
1 <?php
2 // ... business logic ...
3
4 /* PRESENTATION */
5 $template = new Template;
6 $template->assign($this->getVars());
7 $template->display('foo.tpl.php');
8 ?>

If we are not sending HTTP headers, this approach is just as testable as using a Response object. However, if we mix in calls to header() and related functions, our testability will be more limited.

In the interest of future-proofing our legacy code, we may move the template logic to a view file, and interact with a Response object in our page script instead. For example:

foo.php
1 <?php
2 // ... business logic ...
3
4 /* PRESENTATION */
5 $response = new Response('/path/to/app/views');
6 $response->setView('foo.html.php');
7 $response->setVars(array('foo' => $foo));
8 $response->send();
9 ?>
foo.html.php
1 <?php
2 // buffer calls to HTTP headers
3 $this->setcookie('foo', 'bar');
4 $this->setrawcookie('baz', 'dib');
5
6 // set up the template object with Response vars
7 $template = new Template;
8 $template->assign($this->getVars());
9
10 // display the template
11 $template->display('foo.tpl.php');
12 ?>

This allows us to keep using the existing template logic and files, while adding testability for HTTP headers via the Response object.

For consistency's sake, we should either use the existing template system or wrap all template logic in view files via Response objects. We should not use the template system in some page scripts and the Response object in others. In later chapters, it will be important that we have a single way of interacting with the presentation layer in our page scripts.

Most of the time, our presentation is small enough that it can be buffered into memory by PHP until it is ready to send. However, sometimes our legacy application may need to send large amounts of data, such as a file that is tens or hundreds of megabytes.

Reading a large file into memory so that we can output it to the user is usually not a good approach. Instead, we stream the file: we read a small piece of the file and send it to the user, then read the next small piece and send it to the user, and so on until the whole file has been delivered. That way, we never have to keep the entire file in memory.

The examples so far have only dealt with buffering a view into memory and then outputting it all at once, not with streaming. It would be a poor approach for our view file to read the entire resource into memory and then output it. At the same time, we need to make sure headers are delivered before any streamed content.

The Response object has a method to handle this situation. The Response method setLastCall() allows us to set a user-defined function (a callable) to invoke after requiring the view file and sending the headers. With this, we can pass a class method that will stream the resource out for us.

For example, say we need to stream out a large image file. We can write a class like the following to handle the stream logic:

classes/FileStreamer.php
1 <?php
2 class FileStreamer
3 {
4 public function send($file, $dest = STDOUT)
5 {
6 $fh = fopen($file, 'rb');
7 while (! feof($fh)) {
8 $data = fread($fh, 8192);
9 fwrite($dest, $data);
10 }
11 fclose($fh);
12 }
13 }
14 ?>

There is much to be desired here, such as error checking and better resource handling, but it accomplishes the purpose for our example.

We can then create an instance of the FileStreamer in our page script, and the view file can use it as the callable argument for setLastCall():

foo.php
1 <?php
2 // ... business logic ...
3 $file_streamer = new FileStreamer;
4 $image_file = '/path/to/picture.tiff';
5 $content_type = 'image/tiff';
6
7 /* PRESENTATION */
8 $response = new Response('/path/to/app/views');
9 $response->setView('foo.stream.php');
10 $response->setVars(array(
11 'streamer' => $file_streamer,
12 'file' => $image_file,
13 'type' => $content_type,
14 ));
15 ?>
views/foo.stream.php
1 <?php
2 $this->header("Content-Type: {$type}");
3 $this->setLastCall(array($streamer, 'send'), $file);
4 ?>

At send() time, the Response will require the view file, which sets a header and the last call with arguments. The Response then sends the headers and the captured output of the view (which in this case is nothing). Finally, it invokes the callable and arguments from setLastCall(), which streams out the file.

In the example code from this chapter, we had only a handful of variables to pass to the presentation logic. Unfortunately, it is more likely that there will be 10 or 20 or more variables to pass. This is usually because the presentation is composed of several include files, each of which needs its own variables.

These extra variables are usually needed for things like the site header, navigation, and footer portions. Because we have decoupled the business logic from the presentation logic and are executing the presentation logic in a separate scope, we have to pass in all the variables needed for all the include files.

Say we have a view file that includes a header.php file, like this:

header.php
1 <html>
2 <head>
3 <title><?php
4 echo $this->esc($page_title);
5 ?></title>
6 <link rel="stylesheet" href="<?php
7 echo $this->esc($page_style);
8 ?>"></link>
9 </head>
10 <body>
11 <h1><?php echo $this->esc($page_title); ?></h1>
12 <div id="navigation">
13 <ul>
14 <?php foreach ($site_nav as $nav_item) {
Extract Presentation Logic To View Files 117
15 $href = $this->esc($nav_item['href']);
16 $name = $this->esc($nav_item['name']);
17 echo '<li><a href="' . $href
18 . '"/a>' . $name
19 . '</li>' . PHP_EOL;
20 }?>
21 </ul>
22 </div>
23 <!-- end of header.php -->

Our page script will have to pass $page_title, $page_style, and $site_nav variables in order for the header to display properly. This is a relatively tame case; there could be many more variables than this.

One solution is to collect commonly-used variables into one or more objects of their own. We can then pass those common-use objects into the _Response_ for the view file to use. For example, header-specific display variables can be placed in a HeaderDisplay class, which can then be passed to the _Response_.

classes/HeaderDisplay.php
1 <?php
2 class HeaderDisplay
3 {
4 public $page_title;
5 public $page_style;
6 public $site_nav;
7 }
8 ?>

We can then modify the header.php file to use the HeaderDisplay object, and the page script can pass an instance of HeaderDisplay instead of all the separate header-related variables.

Tip

Once we begin collecting related variables into classes, we will begin to see how we can collect presentation logic into methods on those classes, and thereby reduce the amount of logic in our view files. For example, it should not be hard for us to imagine a getNav() method on the HeaderDisplay class that returns the proper HTML for our navigation widgets.

In the example code for this chapter, we concentrated on presentation logic in page scripts. However, it may be the case that domain classes or other support classes use echo or header() to generate output. Because output generation must be restricted to the presentation layer, we need to find a way to remove these calls without breaking our legacy application. Even classes that are intended for presentation purposes should not generate output on their own.

The solution here is to convert each use of echo, print, and so on to a return. We can then either output the result immediately, or capture the result into a variable and output it later.

For example, say we have a class method that looks like this:

1 <?php
2 public function namesAndRoles($list)
3 {
4 echo "<p>Names and roles:</p>";
5 foreach ($list as $item) {
6 echo "<dl>";
7 echo "<dt>Name</dt><dd>{$item['name']}</dd>";
8 echo "<dt>Role</dt><dd>{$item['role']}</dd>";
9 echo "</dl>";
10 }
11 }
12 ?>

We can convert it to something like this instead (and remember to add escaping!):

1 <?php
2 public function namesAndRoles($list)
3 {
4 $html = "<p>Names and roles:</p>";
5 foreach ($list as $item) {
6 $name = htmlspecialchars($item['name'], ENT_QUOTES, 'UTF-8');
7 $role = htmlspecialchars($item['role'], ENT_QUOTES, 'UTF-8');
8 $html .= "<dl>";
9 $html .= "<dt>Name</dt><dd>{$name}</dd>";
10 $html .= "<dt>Role</dt><dd>{$role}</dd>";
11 $html .= "</dl>";
12 }
13 return $html;
14 }
15 ?>

When rearranging the page script to separate the business logic from the presentation logic, we may discover that the presentation code makes calls to Transactions or other classes or resources. This is a pernicious form of mixing concerns, since the presentation is dependent on the results of these calls.

If the called code is specifically for output, then there's no problem; we can leave the calls in place. But if the called code interacts with an external resource such as a database or a network connection, we have a mixing of concerns that needs to be separated.

The solution is to extract an equivalent set of business logic calls from the presentation logic, capture the results to a variable, and then pass that variable to the presentation.

For a contrived example, the following mixed code makes database calls and then presents them in a single loop:

1 <?php
2 /* PRESENTATION */
3 foreach ($post_transactions->fetchTopTenPosts() as $post) {
4 echo "{$post['title']} has "
5 . $comment_transactions->fetchCountForPost($post['id'])
6 . " comments.";
7 }
8 ?>

Ignore for a moment that we need to solve the N+1 query problem presented in the example, and that this might better be solved at the Transactions level. How can we disentangle the presentation from the data retrieval?

In this case, we build an equivalent set of code to capture the needed data, then pass that data to the presentation logic, and apply proper escaping:

1 <?php
2 // ...
3 $posts = $post_transactions->fetchTopTenPosts();
4 foreach ($posts as &$post) {
5 $count = $comment_transactions->fetchCountForPost($post['id']);
6 $post['comment_count'] = $count;
7 }
8 // ...
9
10 /* PRESENTATION */
11 foreach ($posts as $post) {
12 $title = $this->esc($post['title']);
13 $comment_count = $this->esc($post['comment_count']);
14 echo "{$title} has {$comment_count} comments."
15 }
16 ?>

Yes, we end up looping over the same data twice -- once in the business logic, and once in the presentation logic. While this may reasonably be called inefficient in some ways, efficiency is not our primary goal. Separation of concerns is our primary goal, and this approach achieves that nicely.

Some of the pages in our legacy application may consist mostly or entirely of presentation code. In these cases, it may seem like we don't need a Response object.

However, even these page scripts should be converted to use a Response and a view file. A later step in our modernization process is going to require a consistent interface to the results of our page scripts, and our Response object is the way to ensure that consistency.