PHP Short Open Tag: Convenient Shortcut or Short Changing Security?
Most of us learned how to use “echo()
” in one of our very first PHP tutorials. That was certainly the case for me. As a consequence, I never really had a need to visit PHP’s documentation page for echo()
. On a recent visit to Perishable Press, I saw a Tumblr post from Jeff about the use of PHP’s shortcut syntax for echo()
but somewhere deep in my memory, there lurked a warning about its use. I decided to investigate.
My first step in the investigation was to visit PHP’s documentation, where I learned:
echo()
is a language construct, not a true function- if I pass
echo()
more than one parameter, I cannot use parentheses echo()
has a shortcut syntax (<?=$variable?>
), but it requires that theshort_open_tag
configuration is enabled (see popout note below)
<?=
tag always is available regardless of the short_open_tag
ini setting.Recalling that I had once heard something about the insecurity of enabling the short_open_tag
, I googled away. I saw a lot of opinions, but no real hard facts or examples showcasing any possible problems. It was time to experiment.
Using an Ubuntu Ibex box with PHP 5 on the Apache 2.2 server, I created a PHP document which contained only the following code:
<?
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>
As you’d expect, I saw the following output in my browser:
<p>This is my primary message.</p>
<p>This is my secondary message.</p>
<p>This is my tertiary message.</p>
This seemed fine to me, so I decided to go into my php.ini
file and disable short_open_tag
and see what happened. On line 77, I found this ominous and foreboding harbinger of doom:
; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized.
; NOTE: Using short tags should be avoided when developing applications or
; libraries that are meant for redistribution, or deployment on PHP
; servers which are not under your control, because short tags may not
; be supported on the target server. For portable, redistributable code,
; be sure not to use short tags.
short_open_tag = On
I guess it’s not really all that ominous but why wasn’t it in the PHP documentation? Anyway, a quick toggle…
short_open_tag = Off
…and back to the browser resulted in this unexpected output:
<?
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>
All of my PHP code was silently output directly to the browser, completely ignored by PHP! No runs, no hits, no errors. “Not good,” I thought. So, I changed the code a little bit to ensure that PHP was still functioning properly. So now this bit of PHP code:
<?php
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?=$message1?>
<?=$message2?>
<?=$message3?>
…resulted in this output:
<?=$message1?>
<?=$message2?>
<?=$message3?>
Obviously, this is a contrived example. Programmers don’t hardcode sensitive information like that. We ARE all keeping our MySQL connection scripts outside the web root anyway, right? Still, it doesn’t produce the results we want.
Modifying both code blocks to use the full syntax fixed this:
<?php
$username = "username";
$password = "password";
$message1 = "<p>This is my primary message.</p>\n";
$message2 = "<p>This is my secondary message.</p>\n";
$message3 = "<p>This is my tertiary message.</p>\n";
?>
<?php
echo $message1,
$message2,
$message3;
?>
…reliably and predictably resulting in this output (regardless of the short_open_tag
configuration):
<p>This is my primary message.</p>
<p>This is my secondary message.</p>
<p>This is my tertiary message.</p>
To ensure short_open_tag
was set to “off
”, I also added this block to my central HTAccess file:
php_flag short_open_tag off
On my system, at least, I was able to use the HTAccess file to toggle this configuration. The short_open_tag
configuration cannot be toggled using ini_set()
, although you can test against it by using ini_get("short_open_tag")
.
Comma here, I wanna show you something…
Those of you with keen eyes may have also noticed my use of commas to separate instead of periods to concatenate my variables in that last echo()
. I tend to use commas because once again, they produce more predictable and reliable results. Consider the following:
<?php
function echo_message () {
echo "I am a message.";
}
echo "<p>Message: ".echo_message()."</p>";
echo "<p>Message: ",echo_message(),"</p>";
?>
You’d probably expect the output to look like this:
<p>Message: I am a message.</p>
<p>Message: I am a message.</p>
…but what you actually get is this:
I am a message.
<p>Message: </p>
<p>Message: I am a message.</p>
This is a result of echo()
’s special place as a language construct. When using concatenation, echo()
must first evaluate the full, concatenated parameter before proceeding. When it does that, it triggers the echo()
inside our echo_message()
function which is immediately output to the browser before our first echo()
has had a chance to complete its evaluation. Thus, we get the mixed up order of our output. In the second example, our first echo()
evaluates and outputs each parameter individually. Since echo()
itself actually returns NULL
, from PHP’s point of view, our code looks more or less something like this:
<?php
echo_message();
echo "<p>Message: ".NULL."</p>";
echo "<p>Message: ";
echo echo_message(); # outputs "I am a message." and returns null
echo "</p>";
?>
To produce more predictable results, we could also do this:
<?php
function return_message () {
return "I am a message.";
}
echo "<p>Message: ".return_message()."</p>";
echo "<p>Message: ",return_message(),"</p>";
?>
…which will now produce exactly what we want:
<p>Message: I am a message.</p>
<p>Message: I am a message.</p>
Download/Demo
Check out the demo files that show some examples for this tutorial:
Conclusion
The idea of an echo()
shortcut is brilliant. It might be more useful had it been carried through so that <?php=$something?>
would also result in output being echoed to the browser. In its current incarnation, I find it too unpredictable to be used in a production level application.
That’s my opinion, but the real question was: Are short open tags (and therefore the echo shortcut) security risks?
Anything that doesn’t produce predictable, reliable results can be problematic. Using short open tags when they are disabled produces no error or warning message of any kind. It simply fails, outputting your code directly and silently. In contrived examples, this can show devastating results. In real life, it’s more likely to be annoying than catastrophic. The most important thing is to be aware of it. Then, you can decide for yourself.
43 responses to “PHP Short Open Tag: Convenient Shortcut or Short Changing Security?”
@Langel
I would say to you the same thing I said to Antoine: The best thing is that you’re aware of the issues and have made an informed decision about what works best for you.
That’s all I can hope for from an article such as this. I’m no security expert and I taught myself to code, so I imagine I’m plagued with habits which would appall others, while my own need for absolute control of my applications creates for me a certain distaste for some popular PHP coding practices, the use of PHP’s short tags among them.
Thanks for the heads up! I just (re)discovered this shortcut recently. I’m glad I read this article before I started using it too heavily (as it is really handy).
The problem you describe here isn’t so much a problem with PHP short tags…the problem is running things in an unknown environment.
For example, if the PHP module isn’t loaded or if Apache’s AddType directive hasn’t been issued for “.php” files, raw PHP will be sent to the browser, even if you’re using the full “<?php”-style tags.
The lesson here is to be aware of what server configurations your coding depends on, and to ensure that any server intended for production use is configured accordingly and will run your code properly before bringing it online.
PS hit the nail on the head IMO. Some people go on like short open tags are devil spawn.
This was a great short article to read on the subject. I’ve been aware of short tags for a while and my inclination is to use them as Antoine suggests (separating logic from presentation). I agree completely that it’s one of those decisions an informed developer can and should make for themselves, and I feel more informed to make that decision as a developer thanks to your article and the comments.
I totally agree with the mindset that usage of the short open tags should be an informed decision, made with full knowledge of the benefits and drawbacks and security issues involved. One detail I did not see mentioned here (and one of the reasons I see frequently quoted as an argument against short open tags) is that there is supposedly an issue involving XML open tags in certain instances? (I myself have never personally dealt with any such issue, but I tend to stick to the full PHP tags just for safety and compatibility anyhow.)
That having been said, I can totally see how the construct could be entirely too convenient (and readable) to ignore for some developers/designers, but if you should choose to use such conveniences, my advice is similar to that in other comments here and elsewhere on the web. Do not use such features without well researched knowledge. Don’t just code willy-nilly, assuming that it will work as expected without fully considering the implications of the choices you make.
Thank you very much to the author, Bill Brown, for adding an informative and helpful tidbit on the web regarding this important topic of web application security. It is a topic which should be at the forefront of every web application developer’s mind while coding their latest and greatest shiny new Web-five-point-oh buzz-word application. ;)
The issue with PHP’s short tags and XML is that PHP will attempt to parse anything which begins with “
<?
”. This means that XML, which begins with<?xml
is sent to the PHP engine, generating errors since it is not PHP (obviously).To work around this issue while using short tags, you can do this:
<?="<?xml version='1.0' encoding='UTF-8'?>n";?>
or this:
<?php echo "<?xml version='1.0' encoding='UTF-8'?>;n";?>
Of course, if you are using PHP’s short open tag, you might also want to include a check in the beginning of your scripts to save yourself any headache in the future. Something like this ought to do the trick:
<?php if(!ini_get('short_open_tag'))die("Short open tag disabled!"); ?>
…or to ensure it is always disabled:
<?php if(!!ini_get('short_open_tag'))die("Short open tag enabled!"); ?>
Short open tags is such a headache when it comes to unknown environments. I’ve had numerous cases of debugging sites and find that it had to do with short open tags. Either <?xml being mangled because it was enabled, or php not executing code within short open tags when it wasn’t enabled. It can be one of those problems that gets hard to track – especially in xml.
If your php code will generate XML, or you want your PHP code to be redistributable then do not use short open tags.
If you do not use it, you don’t have to worry about the setting. It makes no difference.
I’ve never run across any problems with short open tags. But after reading your detailed article on the downfalls of it, I will go back to writing echo the long way.
Thanks for this great article!
I stopped using the short tags when I first uploaded a little something and nothing worked because they were disabled. When I read about the echo shortcut I thought yes why not, but then I remembered changing hundreds of short tags and the idea was smashed.
And I can only endorse what Gabe said: Whenever you’re using XHTML templates or do something with AJAX (the real AJAX with XML) or do some advanced XML stuff with Processing Instructions (and not using the DOM lib), you have to decide: Shortcut echo or echo all those <?.
I had used short tags earlier. One website i had to change around 470 instances and lot of them were manual. All that was the server didn’t support short tags. After that i never use short tags. And i advise everyone not to use it in production servers.
In case you’re still trying to manually edit short open tags in PHP to the long form, I’d suggest using a search and replace.
You can even write the script in PHP. eg:
scandir()
to get all files and directories,file_get_contents()
to read the file, andstr_replace()
orpreg_replace()
to do your adjustments.It really helps to have a few of these scripts put together so repetitive tasks aren’t done manually. There really is no need to change every instance of
<?
into<?php
manually.