Latest Tweets404 Fix: Block Nuisance Requests for Non-Existent Files: perishablepress.com/block-nuis…
Perishable Press

PHP Short Open Tag: Convenient Shortcut or Short Changing Security?

Bill Brown Exclusive guest post by .

[ Echo Shortcut Code ] Most of us learned how to use “echo()” in one of our very first PHP tutorials. That was certainly the case for me. As a consequence, I never really had a need to visit PHP’s documentation page for echo(). On a recent visit to Perishable Press, I saw a Tumblr post from Jeff about the use of PHP’s shortcut syntax for echo() but somewhere deep in my memory, there lurked a warning about its use. I decided to investigate.

My first step in the investigation was to visit PHP’s documentation, where I learned:

  • echo() is a language construct, not a true function
  • if I pass echo() more than one parameter, I cannot use parentheses
  • echo() has a shortcut syntax (<?=$variable?>), but it requires that the short_open_tag configuration is enabled

Recalling that I had once heard something about the insecurity of enabling the short_open_tag, I googled away. I saw a lot of opinions, but no real hard facts or examples showcasing any possible problems. It was time to experiment.

Using an Ubuntu Ibex box with PHP 5 on the Apache 2.2 server, I created a PHP document which contained only the following code:

<?
	$username = "username";
	$password = "password";
	$message1 = "<p>This is my primary message.</p>\n";
	$message2 = "<p>This is my secondary message.</p>\n";
	$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>

As you’d expect, I saw the following output in my browser:

<p>This is my primary message.</p>
<p>This is my secondary message.</p>
<p>This is my tertiary message.</p>

This seemed fine to me, so I decided to go into my php.ini file and disable short_open_tag and see what happened. On line 77, I found this ominous and foreboding harbinger of doom:

; Allow the <? tag.  Otherwise, only <?php and <script> tags are recognized.
; NOTE: Using short tags should be avoided when developing applications or
; libraries that are meant for redistribution, or deployment on PHP
; servers which are not under your control, because short tags may not
; be supported on the target server. For portable, redistributable code,
; be sure not to use short tags.
short_open_tag = On

I guess it’s not really all that ominous but why wasn’t it in the PHP documentation? Anyway, a quick toggle…

short_open_tag = Off

…and back to the browser resulted in this unexpected output:

<?
	$username = "username";
	$password = "password";
	$message1 = "<p>This is my primary message.</p>\n";
	$message2 = "<p>This is my secondary message.</p>\n";
	$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>

All of my PHP code was silently output directly to the browser, completely ignored by PHP! No runs, no hits, no errors. “Not good,” I thought. So, I changed the code a little bit to ensure that PHP was still functioning properly. So now this bit of PHP code:

<?php
	$username = "username";
	$password = "password";
	$message1 = "<p>This is my primary message.</p>\n";
	$message2 = "<p>This is my secondary message.</p>\n";
	$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>

…resulted in this output:

<?=$message1?>
<?=$message2?>
<?=$message3?>

Obviously, this is a contrived example. Programmers don’t hardcode sensitive information like that. We ARE all keeping our MySQL connection scripts outside the web root anyway, right? Still, it doesn’t produce the results we want.

Modifying both code blocks to use the full syntax fixed this:

<?php
	$username = "username";
	$password = "password";
	$message1 = "<p>This is my primary message.</p>\n";
	$message2 = "<p>This is my secondary message.</p>\n";
	$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?php
	echo $message1,
	     $message2,
	     $message3;
?>

…reliably and predictably resulting in this output (regardless of the short_open_tag configuration):

<p>This is my primary message.</p>
<p>This is my secondary message.</p>
<p>This is my tertiary message.</p>

To ensure short_open_tag was set to “off”, I also added this block to my central HTAccess file:

php_flag short_open_tag off

On my system, at least, I was able to use the HTAccess file to toggle this configuration. The short_open_tag configuration cannot be toggled using ini_set(), although you can test against it by using ini_get("short_open_tag").

Comma here, I wanna show you something…

Those of you with keen eyes may have also noticed my use of commas to separate instead of periods to concatenate my variables in that last echo(). I tend to use commas because once again, they produce more predictable and reliable results. Consider the following:

<?php
	function echo_message () {
		echo "I am a message.";
	}
	echo "<p>Message: ".echo_message()."</p>";
	echo "<p>Message: ",echo_message(),"</p>";
?>

You’d probably expect the output to look like this:

<p>Message: I am a message.</p>
<p>Message: I am a message.</p>

…but what you actually get is this:

I am a message.
<p>Message: </p>
<p>Message: I am a message.</p>

This is a result of echo()’s special place as a language construct. When using concatenation, echo() must first evaluate the full, concatenated parameter before proceeding. When it does that, it triggers the echo() inside our echo_message() function which is immediately output to the browser before our first echo() has had a chance to complete its evaluation. Thus, we get the mixed up order of our output. In the second example, our first echo() evaluates and outputs each parameter individually. Since echo() itself actually returns NULL, from PHP’s point of view, our code looks more or less something like this:

<?php
	echo_message();
	echo "<p>Message: ".NULL."</p>";
	echo "<p>Message: ";
	echo echo_message(); # outputs "I am a message." and returns null
	echo "</p>";
?>

To produce more predictable results, we could also do this:

<?php
	function return_message () {
		return "I am a message.";
	}
	echo "<p>Message: ".return_message()."</p>";
	echo "<p>Message: ",return_message(),"</p>";
?>

…which will now produce exactly what we want:

<p>Message: I am a message.</p>
<p>Message: I am a message.</p>

Download/Demo

Check out the demo files that show some examples for this tutorial:

PHP Short Open Tag : Example Files – Version 1.0 (3 KB zip)
Note: the demo files require PHP to work properly. Please don’t host these files on a live production server — for private use only. Disclaimer: by downloading the demo files, you accept all liability for use and agree not to sue anyone.

Conclusion

The idea of an echo() shortcut is brilliant. It might be more useful had it been carried through so that <?php=$something?> would also result in output being echoed to the browser. In its current incarnation, I find it too unpredictable to be used in a production level application.

That’s my opinion, but the real question was: Are short open tags (and therefore the echo shortcut) security risks?

Anything that doesn’t produce predictable, reliable results can be problematic. Using short open tags when they are disabled produces no error or warning message of any kind. It simply fails, outputting your code directly and silently. In contrived examples, this can show devastating results. In real life, it’s more likely to be annoying than catastrophic. The most important thing is to be aware of it. Then, you can decide for yourself.

Bill Brown
About the Author Bill is the creator of WebDevelopedia.com and is an active member of several discussion lists, including the CSS Discussion List. When not online, Bill can be found enjoying the company of his girlfriend, Jessica and their dog, Leica (she doesn’t have a web site).
Archives
43 responses
  1. Great post Mr. Brown, I really appreciated the reading! It’s interesting to finally see someone that take the time to verify that the tools he uses are the good ones. The examples are very clear too, thank you.

    By the way, this reinforces my desire to learn Ruby/Python and say goodbye to PHP.

  2. Louis,

    Thank you kindly for your complimentary response.

    I’m not yet skilled in Ruby/Python (it’s on the list), but every language has the potential for security gaps. It’s really up to the developer to understand the tools provided to us by any language and ensure that we’re not using them in a way that sacrifices too much security.

    One assumes that every language has the potential to be insecure, depending on how it’s applied.

    In any event, thank you again for your kind words. Stay well. –Bill

  3. Hm – this is an interesting post. The thing that makes me wonder is exactly why PHP includes some support for shorthand code other than the “convenience” of use? I prefer to stick to one way of coding (using the full <?php tags and echo statements), and allowing lenience for PHP developers such as myself presents all sorts of problems, mainly the one you mentioned.

    Nonetheless, this was a very imformative article.

  4. Bill Brown

    Thanks to everyone who commented on Bill’s premier guest post. I also enjoyed the article immensely and am looking forward to seeing more of his articles posted here at Perishable Press. If all goes according to plan, we’ll be reading much more from Bill in the future. Stay tuned!

  5. Antoine Leclair January 13, 2009 @ 10:17 am

    Short tags really shine when you completely separate logic from presentation (like we do when we use the MVC design pattern).

    Here’s a short example:

    <?php
         // Business logic here
         $my_array = function_that_fills_the_array();
    ?>

    <h1>The page title</h1>

    <ul>

    <?php foreach ($my_array as $element) : ?>

         <li><?= $element ?></li>

    <?php endforeach ?>

    </ul>

    The way you used it in your post was not really useful. I mean, the point of using short tags is to make it more readable when you embed PHP variables into HTML. I don’t think it’s a good idea to add HTML in PHP variables.

  6. If all goes according to plan, we’ll be reading much more from Bill in the future.

    Awesome!

  7. Re: Antoine

    “Short tags really shine when you completely separate logic from presentation (like we do when we use the MVC design pattern)”

    Unless they’re disabled, in which case, they don’t do anything,, except pose a potential security risk, regardless of whether you’re using the Model-View-Controller (MVC) design pattern or not.

    “The way you used it in your post was not really useful.”

    Sorry about that. I don’t see much of a difference between my examples and yours save the lack of any HTML in your example.

    “I mean, the point of using short tags is to make it more readable when you embed PHP variables into HTML.”

    I don’t think it makes it more readable at all. I find the inconsistency awfully unattractive.

    “I don’t think it’s a good idea to add HTML in PHP variables.”

    I imagine I must be misreading this sentence. Otherwise, I have to assume that you’re telling me you never store ANY HTML in your databases, which seems terribly unlikely, or a terribly large and unoptimized database.

  8. Antoine Leclair January 13, 2009 @ 11:42 am

    @Bill
    For a designer (that mainly touches HTML, not PHP), I think
    <li><?php echo $variable ?></li>
    is less readable than
    <li><?= $variable ?></li>
    But I think it’s a matter of opinion.

    Regarding HTML in PHP variables, I was thinking of short texts.

    What I usually do is:
    If I output code that contains the necessary HTML, I use
    <?php echo $variable; ?>
    If I output code that does not (like in my previous example), I use
    <?= $variable ?>

    Again, unless I have to embed HTML in variables, I try to avoid it. In, let’s say, a blog post, or product description, I am not ashamed to embed HTML. But if formating is not necessary, I avoid it.

  9. @Antoine

    The fact that you’ve made the choice to use the short tags is what separates you from the developer who uses it blindly. I applaud you for having made an educated decision, even if it’s one I disagree with.

    I suppose the real purpose of an article such as this is to foster knowledge as well as intelligent discourse. It seems we’ve succeeded. ;-)

    Incidentally…je parle seulement un peu de Francais, mais votre site internet est tres beau. Le bon travail!

  10. Antoine Leclair January 14, 2009 @ 7:43 am

    @Bill

    I think we both agree on that ;).

    Thanks for the little French sentence. We feel so lonely on the web, us, non-English people, hehe. Your site is pretty cool too. I like fixed background with transparent content ;).

  11. @Antoine

    Bien sur et de rien, mon ami.

    My sites are woefully underdeveloped and underdesigned. I’ve been all too busy with client work, which is good for the bank account, but bad for the personal sites.

    Cheers!

  12. I use a custom templating system. Instead of typing <?php echo I simply type <: and the closing tag stays the same. The parser converts the tags for me before they are rendered in an eval(). I also use <; for plain old <?php and <o for and it makes me happy. =D/

[ Comments are closed for this post ]