PHP Short Open Tag: Convenient Shortcut or Short Changing Security?
Post #659 categorized as Function, last updated on Jan 14, 2009
Tagged with code, htaccess, php, security
![[ Echo Shortcut Code ]](http://perishablepress.com/press/wp-content/images/2009/misc-chunks/echo-shortcut.gif)
Most of us learned how to use “echo()” in one of our very first PHP tutorials. That was certainly the case for me. As a consequence, I never really had a need to visit PHP’s documentation page for echo(). On a recent visit to Perishable Press, I saw a Tumblr post from Jeff about the use of PHP’s shortcut syntax for echo() but somewhere deep in my memory, there lurked a warning about its use. I decided to investigate.
My first step in the investigation was to visit PHP’s documentation, where I learned:
echo()is a language construct, not a true function- if I pass
echo()more than one parameter, I cannot use parentheses echo()has a shortcut syntax (<?=$variable?>), but it requires that theshort_open_tagconfiguration is enabled
Recalling that I had once heard something about the insecurity of enabling the short_open_tag, I googled away. I saw a lot of opinions, but no real hard facts or examples showcasing any possible problems. It was time to experiment.
Using an Ubuntu Ibex box with PHP 5 on the Apache 2.2 server, I created a PHP document which contained only the following code:
<?
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>As you’d expect, I saw the following output in my browser:
<p>This is my primary message.</p>
<p>This is my secondary message.</p>
<p>This is my tertiary message.</p>This seemed fine to me, so I decided to go into my php.ini file and disable short_open_tag and see what happened. On line 77, I found this ominous and foreboding harbinger of doom:
; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized.
; NOTE: Using short tags should be avoided when developing applications or
; libraries that are meant for redistribution, or deployment on PHP
; servers which are not under your control, because short tags may not
; be supported on the target server. For portable, redistributable code,
; be sure not to use short tags.
short_open_tag = OnI guess it’s not really all that ominous but why wasn’t it in the PHP documentation? Anyway, a quick toggle…
short_open_tag = Off
…and back to the browser resulted in this unexpected output:
<?
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>All of my PHP code was silently output directly to the browser, completely ignored by PHP! No runs, no hits, no errors. “Not good,” I thought. So, I changed the code a little bit to ensure that PHP was still functioning properly. So now this code:
<?php
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>…resulted in this output:
<?=$message1?>
<?=$message2?>
<?=$message3?>Obviously, this is a contrived example. Programmers don’t hardcode sensitive information like that. We ARE all keeping our MySQL connection scripts outside the web root anyway, right? Still, it doesn’t produce the results we want.
Modifying both code blocks to use the full syntax fixed this:
<?php
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?php
echo $message1,
$message2,
$message3;
?>…reliably and predictably resulting in this output (regardless of the short_open_tag configuration):
<p>This is my primary message.</p>
<p>This is my secondary message.</p>
<p>This is my tertiary message.</p>To ensure short_open_tag was set to “off”, I also added this block to my central HTAccess file:
php_flag short_open_tag off
On my system, at least, I was able to use the HTAccess file to toggle this configuration. The short_open_tag configuration cannot be toggled using ini_set(), although you can test against it by using ini_get("short_open_tag").
Comma here, I wanna show you something…
Those of you with keen eyes may have also noticed my use of commas to separate instead of periods to concatenate my variables in that last echo(). I tend to use commas because once again, they produce more predictable and reliable results. Consider the following:
<?php
function echo_message () {
echo "I am a message.";
}
echo "<p>Message: ".echo_message()."</p>";
echo "<p>Message: ",echo_message(),"</p>";
?>You’d probably expect the output to look like this:
<p>Message: I am a message.</p>
<p>Message: I am a message.</p>…but what you actually get is this:
I am a message.
<p>Message: </p>
<p>Message: I am a message.</p>This is a result of echo()’s special place as a language construct. When using concatenation, echo() must first evaluate the full, concatenated parameter before proceeding. When it does that, it triggers the echo() inside our echo_message() function which is immediately output to the browser before our first echo() has had a chance to complete its evaluation. Thus, we get the mixed up order of our output. In the second example, our first echo() evaluates and outputs each parameter individually. Since echo() itself actually returns NULL, from PHP’s point of view, our code looks more or less something like this:
<?php
echo_message();
echo "<p>Message: ".NULL."</p>";
echo "<p>Message: ";
echo echo_message(); # outputs "I am a message." and returns null
echo "</p>";
?>To produce more predictable results, we could also do this:
<?php
function return_message () {
return "I am a message.";
}
echo "<p>Message: ".return_message()."</p>";
echo "<p>Message: ",return_message(),"</p>";
?>…which will now produce exactly what we want:
<p>Message: I am a message.</p>
<p>Message: I am a message.</p>Conclusion
The idea of an echo() shortcut is brilliant. It might be more useful had it been carried through so that <?php=$something?> would also result in output being echoed to the browser. In its current incarnation, I find it too unpredictable to be used in a production level application.
That’s my opinion, but the real question was: Are short open tags (and therefore the echo shortcut) security risks?
Anything that doesn’t produce predictable, reliable results can be problematic. Using short open tags when they are disabled produces no error or warning message of any kind. It simply fails, outputting your code directly and silently. In contrived examples, this can show devastating results. In real life, it’s more likely to be annoying than catastrophic. The most important thing is to be aware of it. Then, you can decide for yourself.
About the Author
Over the course of 33 years, Bill Brown has lived and worked in West Africa as a Field Station Coordinator on Bioko Island in Equatorial Guinea, represented the Memorex line of consumer electronics on QVC, owned a squirrel, taught improvisation and stage combat and launched two successful improv comedy troupes. Oh, and along the way, he’s developed some websites and applications.
Self-taught with a penchant for entertaining others, Bill’s clients have included internationally renowned photographer Steve McCurry, The National Maritime Law Enforcement Academy (whose site was deleveoped entirely in the rain forests of Bioko Island), Virtual Giving, Workforce Strategy Center and the WSC web application Pathways to Competitiveness. Bill was also a presenter at the 2008 National Association of Government Webmasters conference in Chicago, IL.
Bill owns and run WebDevelopedia.com and is an active member of several mailing lists, including the CSS Discussion List. When not online, Bill can be found enjoying the company of his girlfriend, Jessica and their dog, Leica (she doesn’t have a web site).
Share this..
Related articles
- Secrets of the Conditional Tag Revealed: How to Gain More Control Over Your WP Templates
- Why Can’t I Login to My LinkedIn Account?
- One Link to Open Them All
- Important Security Fix for WordPress
- Building the 3G Blacklist, Part 2: Improving Site Security by Preventing Malicious Query-String Exploits
- Customize Password-Protected Posts
- Building the 3G Blacklist, Part 5: Improving Site Security by Selectively Blocking Individual IPs
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=2a208fe3c7dea01320a98b496a5114af&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=9bf6321a639dcf778c84ca8cc71da5bc&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=661b083b3ed2fcee6ce0fc1347a55d37&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=022180a0bd0cafea80552dcce4ceeae2&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=8c2b865c7dc7409c4cc0e80979b5cbb5&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=049051b250b5c2e05b795e19e5f6c8e4&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=8e14132a938f8dc6f86af4f7cdb84394&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=5b17270408e431f364cf25dd78921d71&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=749a9b121558d518a1d1fb7459b3b29b&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=00695bac892facb00b925e333518176a&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=ac97b5f71c623d60aa7e8f534908dd75&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=4402e0c51875692261e7b18525c93179&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=7e87f2cc768f6b1a593d4af9c5bb1583&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
![[ Gravatar Icon ]](http://www.gravatar.com/avatar.php?gravatar_id=24ef487a4d988baa9927042f35e22e36&rating=PG&size=50&default=http%3A%2F%2Fperishablepress.com%2Fpress%2Fwp-content%2Fthemes%2Frequiem%2Fimages%2Fblank.png "Visit gravatar.com to get your own free Globally Recognized Avatar!"){kind=avatar}
#1 — Louis
Great post Mr. Brown, I really appreciated the reading! It’s interesting to finally see someone that take the time to verify that the tools he uses are the good ones. The examples are very clear too, thank you.
By the way, this reinforces my desire to learn Ruby/Python and say goodbye to PHP.