PHP Short Open Tag: Convenient Shortcut or Short Changing Security?

Louis – #1

Great post Mr. Brown, I really appreciated the reading! It’s interesting to finally see someone that take the time to verify that the tools he uses are the good ones. The examples are very clear too, thank you.

By the way, this reinforces my desire to learn Ruby/Python and say goodbye to PHP.

Bill Brown – #2

Louis,

Thank you kindly for your complimentary response.

I’m not yet skilled in Ruby/Python (it’s on the list), but every language has the potential for security gaps. It’s really up to the developer to understand the tools provided to us by any language and ensure that we’re not using them in a way that sacrifices too much security.

One assumes that every language has the potential to be insecure, depending on how it’s applied.

In any event, thank you again for your kind words. Stay well. –Bill

John – #3

Hm - this is an interesting post. The thing that makes me wonder is exactly why PHP includes some support for shorthand code other than the “convenience” of use? I prefer to stick to one way of coding (using the full <?php tags and echo statements), and allowing lenience for PHP developers such as myself presents all sorts of problems, mainly the one you mentioned.

Nonetheless, this was a very imformative article.

Antoine Leclair – #5

Short tags really shine when you completely separate logic from presentation (like we do when we use the MVC design pattern).

Here’s a short example:

<?php
     // Business logic here
     $my_array = function_that_fills_the_array();
?>

<h1>The page title</h1>

<ul>

<?php foreach ($my_array as $element) : ?>

     <li><?= $element ?></li>

<?php endforeach ?>

</ul>

The way you used it in your post was not really useful. I mean, the point of using short tags is to make it more readable when you embed PHP variables into HTML. I don’t think it’s a good idea to add HTML in PHP variables.

Bill Brown – #6

Re: Antoine

“Short tags really shine when you completely separate logic from presentation (like we do when we use the MVC design pattern)”

Unless they’re disabled, in which case, they don’t do anything,, except pose a potential security risk, regardless of whether you’re using the Model-View-Controller (MVC) design pattern or not.

“The way you used it in your post was not really useful.”

Sorry about that. I don’t see much of a difference between my examples and yours save the lack of any HTML in your example.

“I mean, the point of using short tags is to make it more readable when you embed PHP variables into HTML.”

I don’t think it makes it more readable at all. I find the inconsistency awfully unattractive.

“I don’t think it’s a good idea to add HTML in PHP variables.”

I imagine I must be misreading this sentence. Otherwise, I have to assume that you’re telling me you never store ANY HTML in your databases, which seems terribly unlikely, or a terribly large and unoptimized database.

Antoine Leclair – #7

@Bill
For a designer (that mainly touches HTML, not PHP), I think
<li><?php echo $variable ?></li>
is less readable than
<li><?= $variable ?></li>
But I think it’s a matter of opinion.

Regarding HTML in PHP variables, I was thinking of short texts.

What I usually do is:
If I output code that contains the necessary HTML, I use
<?php echo $variable; ?>
If I output code that does not (like in my previous example), I use
<?= $variable ?>

Again, unless I have to embed HTML in variables, I try to avoid it. In, let’s say, a blog post, or product description, I am not ashamed to embed HTML. But if formating is not necessary, I avoid it.

Louis – #8

If all goes according to plan, we’ll be reading much more from Bill in the future.

Awesome!

Bill Brown – #9

@Antoine

The fact that you’ve made the choice to use the short tags is what separates you from the developer who uses it blindly. I applaud you for having made an educated decision, even if it’s one I disagree with.

I suppose the real purpose of an article such as this is to foster knowledge as well as intelligent discourse. It seems we’ve succeeded. ;-)

Incidentally…je parle seulement un peu de Francais, mais votre site internet est tres beau. Le bon travail!

Antoine Leclair – #10

@Bill

I think we both agree on that ;).

Thanks for the little French sentence. We feel so lonely on the web, us, non-English people, hehe. Your site is pretty cool too. I like fixed background with transparent content ;).

Bill Brown – #11

@Antoine

Bien sur et de rien, mon ami.

My sites are woefully underdeveloped and underdesigned. I’ve been all too busy with client work, which is good for the bank account, but bad for the personal sites.

Cheers!

Langel – #12

I use a custom templating system. Instead of typing <?php echo I simply type <: and the closing tag stays the same. The parser converts the tags for me before they are rendered in an eval(). I also use <; for plain old <?php and <o for and it makes me happy. =D/

Bill Brown – #13

@Langel

I would say to you the same thing I said to Antoine: The best thing is that you’re aware of the issues and have made an informed decision about what works best for you.

That’s all I can hope for from an article such as this. I’m no security expert and I taught myself to code, so I imagine I’m plagued with habits which would appall others, while my own need for absolute control of my applications creates for me a certain distaste for some popular PHP coding practices, the use of PHP’s short tags among them.

Justen – #14

Thanks for the heads up! I just (re)discovered this shortcut recently. I’m glad I read this article before I started using it too heavily (as it is really handy).

PS – #15

The problem you describe here isn’t so much a problem with PHP short tags…the problem is running things in an unknown environment.

For example, if the PHP module isn’t loaded or if Apache’s AddType directive hasn’t been issued for “.php” files, raw PHP will be sent to the browser, even if you’re using the full “<?php”-style tags.

The lesson here is to be aware of what server configurations your coding depends on, and to ensure that any server intended for production use is configured accordingly and will run your code properly before bringing it online.

Thomas – #16

PS hit the nail on the head IMO. Some people go on like short open tags are devil spawn.

Steve – #17

This was a great short article to read on the subject. I’ve been aware of short tags for a while and my inclination is to use them as Antoine suggests (separating logic from presentation). I agree completely that it’s one of those decisions an informed developer can and should make for themselves, and I feel more informed to make that decision as a developer thanks to your article and the comments.

Silver Knight – #18

I totally agree with the mindset that usage of the short open tags should be an informed decision, made with full knowledge of the benefits and drawbacks and security issues involved. One detail I did not see mentioned here (and one of the reasons I see frequently quoted as an argument against short open tags) is that there is supposedly an issue involving XML open tags in certain instances? (I myself have never personally dealt with any such issue, but I tend to stick to the full PHP tags just for safety and compatibility anyhow.)

That having been said, I can totally see how the construct could be entirely too convenient (and readable) to ignore for some developers/designers, but if you should choose to use such conveniences, my advice is similar to that in other comments here and elsewhere on the web. Do not use such features without well researched knowledge. Don’t just code willy-nilly, assuming that it will work as expected without fully considering the implications of the choices you make.

Thank you very much to the author, Bill Brown, for adding an informative and helpful tidbit on the web regarding this important topic of web application security. It is a topic which should be at the forefront of every web application developer’s mind while coding their latest and greatest shiny new Web-five-point-oh buzz-word application. ;)

Bill Brown – #19

The issue with PHP’s short tags and XML is that PHP will attempt to parse anything which begins with “<?”. This means that XML, which begins with <?xml is sent to the PHP engine, generating errors since it is not PHP (obviously).

To work around this issue while using short tags, you can do this:

<?="<?xml version='1.0' encoding='UTF-8'?>\n";?>

or this:

<?php echo "<?xml version='1.0' encoding='UTF-8'?>;\n";?>

Of course, if you are using PHP’s short open tag, you might also want to include a check in the beginning of your scripts to save yourself any headache in the future. Something like this ought to do the trick:

<?php if(!ini_get('short_open_tag'))die("Short open tag disabled!"); ?>

…or to ensure it is always disabled:

<?php if(!!ini_get('short_open_tag'))die("Short open tag enabled!"); ?>

Gabe – #20

Short open tags is such a headache when it comes to unknown environments. I’ve had numerous cases of debugging sites and find that it had to do with short open tags. Either <?xml being mangled because it was enabled, or php not executing code within short open tags when it wasn’t enabled. It can be one of those problems that gets hard to track - especially in xml.

If your php code will generate XML, or you want your PHP code to be redistributable then do not use short open tags.

If you do not use it, you don’t have to worry about the setting. It makes no difference.

Corey – #21

I’ve never run across any problems with short open tags. But after reading your detailed article on the downfalls of it, I will go back to writing echo the long way.

Thanks for this great article!

Bernhard H. – #22

I stopped using the short tags when I first uploaded a little something and nothing worked because they were disabled. When I read about the echo shortcut I thought yes why not, but then I remembered changing hundreds of short tags and the idea was smashed.

And I can only endorse what Gabe said: Whenever you’re using XHTML templates or do something with AJAX (the real AJAX with XML) or do some advanced XML stuff with Processing Instructions (and not using the DOM lib), you have to decide: Shortcut echo or echo all those <?.

Mahbub – #23

I had used short tags earlier. One website i had to change around 470 instances and lot of them were manual. All that was the server didn’t support short tags. After that i never use short tags. And i advise everyone not to use it in production servers.

bucabay – #24

In case you’re still trying to manually edit short open tags in PHP to the long form, I’d suggest using a search and replace.

You can even write the script in PHP. eg: scandir() to get all files and directories, file_get_contents() to read the file, and str_replace() or preg_replace() to do your adjustments.

It really helps to have a few of these scripts put together so repetitive tasks aren’t done manually. There really is no need to change every instance of <? into <?php manually.

kanwaljit singh – #25

I totally agree with bill, as we know that support for short tags might be discontinued in future(at least its not going to be set to on for default), its better to avoid it if u dont have access to your php.ini or if you want to make portable scripts for distribution or selling.

For that reason I always turn off short tags option on my development PC’s Php.ini.

Really nice and detailed article :-)

asad – #26

hi how r u …i have the problem with php .. the page is not display the data but it display the header and footer
i am totally confused what is the problem .. the code is working on other machine but not working on my machine. i installed wamp server which is working.

Rex – #27

i have a problem in PHP. i installed my project in a linux OS. then when i click one of the menu on my project, a window will pop up asking me if i want to open the *.php..Is there any concern with the rights?

Marcos – #28

“All of my PHP code was silently output directly to the browser, completely ignored by PHP! No runs, no hits, no errors.”

Perhaps you forgot to restart Apache after changing php.ini?

Regards,

Marcos.

Abeon – #29

Well, I’ll be…..

You learn something new every day!
I’m a code minimilist so this will be usefull for me, thanks :)

Jakub Lédl – #30

Sorry, sir, but few of your programming techniques really made me wonder what kind of programmer are you.

WTF is supposed to be this:

function echo_message() {
       echo "Message."
}

echo "blah", echo_message(), "blah"

This has nothing to do with echo beign a language construct, this is just stupid! I mean, if ... elseif ... else is also an language construct, and still you would write

function create_cond() {
       return true;
}

if (create_cond()) {
       ...
}

and not

function create_cond() {
       echo true;
}

so that the value is returned, not echoed (if you won’t, then you totally don’t grasp basic concepts of programming. How do you ever wanna do OOP?)!

And also, I found quite interesting this:

if (!!ini_get("short_open_tags")) {

why not just

if (ini_get("short_open_tags")) {

???

Bill Brown – #31

@Jakub

The examples in this article are contrived as an attempt to isolate the behaviors of the echo language construct.

I fear you’ve missed the point of the article but am happy to answer any of your questions directly, including any related to OOP, as I code solely using object oriented programming techniques.

Thanks for your feedback and sorry the information wasn’t more clear to you.

Dave Coleman – #32

It seems to me the short tags security problem was completely artificially created by the PHP Development Team by making the setting optional. Had they made short tags always on by default when this issue began years ago, there wouldn’t be any of these ‘security’ issues.

And the xml tag opener issue is just one single line of code at the top of xml files that can easily be worked around with about 6 characters of code ONCE, instead of adding 7 characters of code every time you want to output a variable, in particular “<?php echo” instead of “<?=”.

Jakub Lédl – #33

My apologies, I misunderstood the point of this article.

As for the problem with xml declaration, nicest solution I’ve seen so far is this:

<?xml version="1.0" encoding="utf-8" ?>

Tomás – #34

Thanks for the tip.

Jakub Lédl – #35

Oh sh*t, I came back. What happened to that code I posted? Does this CMS remove PHP from comments or what? I now look like an idiot :-)

This is what I meant:

http://www.sourcepod.com/idhblx03-2718

Edit: <<?php ?>?xml version="1.0" encoding="utf-8"?>

bucabay – #36

AT Jakub <?xml such as that on http://www.sourcepod.com/idhblx03-2718

Why is it nice? Is it an OOP solution? Just kidding.

Bill Brown – #37

@Jakub:

Of course, there are many ways to bypass the XML declaration issue when you have PHP short tags enabled. Since the intention of the fix you posted is to fix the problem when short tags are enabled, you could probably shorten your hack by leaving the PHP off altogether.

I haven’t tested, but in theory, any of these should work:

<<??>?xml version="1.0" encoding="utf-8"?>
<<?/*XML*/?>?xml version="1.0" encoding="utf-8"?>
<<?php?>?xml version="1.0" encoding="utf-8"?>
<<?php/*XML*/?>?xml version="1.0" encoding="utf-8"?>