What’s the deal with short_open_tag?

A friend asked me today:

Why isn’t short_open_tag set to On in php.ini at [servers you set up] or in general?

Basically short_open_tag allows you to use <? and <?= in addition to <?php when formatting code. The latter can be very useful if you are using PHP as a templating language—like with Savant or no templating system at all.

Many people think that there is a security reason for this. For the life of me, I can’t really see the security problem with the setting though I can see the security problem with the coding. That is… if you code using short_open_tags, then you run the risk of running that code on a server where this variable it is off somewhere and suddenly you are dumping PHP code to people’s browsers. But that almost never happens and really if you have a configuration issue, you have bigger problems.

The real reason is simply that it violates valid XML markup to use short tags. Simply put, let’s say you have an example where your PHP page has to generate a valid XML file that needs a XML directive.

<?xml version="1.0" ?>

With short_open_tags, this will generate a fatal error in the PHP engine! The workaround is to do something nasty like

echo '<'.'?xml version="1.0" ?>';

(or some such). As more websites contained XHTML or some weird sort of sacrifice to the Gods of all things XML (SOAP, XMLRPC, REST-XML), it was sooner convenient to admit defeat and just start coding in valid XML markup.

It violates valid xml. It was not recommended for use because it isn’t guaranteed to be on everywhere. Ever since then people have been in the habit of not using short tags just in case they are off. Soon, it became part of the php.ini-recommended and short tags, like asp_tags and the alternative syntax for control structures got relegated to the dustbin of history.

What is the alternative syntax for control structures? Let’s not go there. 😉

14 thoughts on “What’s the deal with short_open_tag?

  1. There are 2 problems with this explanation:
    1. Why on green Earth PHP code would be supposed to be valid XML? It's like saying we shouldn't use some language construct in C++ because if I run it through PostScript interpreter it would not be a valid PostScript.
    2. That does not address the issue of "<?=" being always available – which is a frequent feature request and which has no other problem than XML zealots hating it.

    1. That could be useful to template engineers. It’d be interesting if you could also supply your own echo for that purpose as some people might want “echo htmlspecialchars” or “echo htmlentities” for that.

      Personally, I don’t find myself writing many templates nowadays as most data transactions seem to be occurring through JSON or a similar library that allows the data to be directly embedded without a repetition of writing of these sort of tags. This does call into question the importance of PHP in the future in that environment.

  2. It's misleading to suggest that this is to do with "XML validity". Obviously it's nothing of the sort, but that misstatement is heard so often that I suspect you've simply repeated it without thinking, since you do mention the correct issue: as you note, with the setting on, straight XML files will get parsed as PHP by the server, resulting in no end of horrid errors. The matter of markup, valid or otherwise, is clearly irrelevant.

    1. Hmm, it is my understanding that the XML Spec on processing instructions must define a PITarget. Therefore having a ” ” or an “=” is not a name making PHP code not parse as valid XML.

      While there is no reason for having PHP parse as valid XML (thought it might be convenient if you are using something like HTMLTidy to validate the XHTML or XML portion of the file), I believe the “<?" tag in PHP preceded the addition of the "<?php" tag. The question is then why was the "<?php" start tag added? When you answer that you get the conclusion "XML validity."

  3. Thanks! I believe I set my API key for facebook connect up correctly so I should probably recheck that with Intense Debate.

    You are correct that the alternative syntax for control structures is not deprecated, or even frowned upon. Since that rule for it is easy to write for into the lexer, it will never disappear. I just find it interesting that something put in the language due to laziness in what the language designer wanted to put in has found new life in an obscure corner of the world (basically in long template code where it will be hard to find the matching brace).

    Of course, PHP isn't exactly Perl so I guess there might be one reason to frown upon its usage: confusion when a PHP programmer comes across that archaic structure. Allowing such expressivity is usually the purview of a Perl developer. 😉

  4. A good editor should find the matching brace, and nowadays few people are writing long templates anymore. However, if you do things in a large template (in PHP) or in a PHP-embedded templating system (like Savant, etc.) then I, too, can see your point. 🙂

    Nowadays my attitude is, for the web, why not put a lot of that data another format json and decouple. But maybe it's because I don’t have convenient ways of writing embedded output like with the "<?="! 😀

  5. Haha, you guys crack me up. I hope they remove the short_open_tag setting entirely in PHP6 and turn it on by default all the time and then people can stop whining and making stupid excuses as to why they shouldn't be used.

    Unless you have php interpreting all text files, I don't see a conflict with xml. xml would have a different mime-type than php files so the <??> in the file wouldn't be interpreted in that scenario. In the scenario that the the xml declaration is included in a php file, the syntax isn't goofy at all as the author might think:

    <<??>?xml version="1.0" encoding="utf-8"?>

  6. I think there is a security issue. Because if you have developed any library for redistribution purpose and have done coding with assumption of having short tags on then there can be problem. because you dont have control on server configuration of one who is going to use your library.

  7. Why does it matter if a PHP tag is valid XML or not? All the rest of the code will clearly not be valid XML. It's PHP code.

    Also, you don't need to do all that crazy concatenating to get your xml tags included. PHP will ignore ?> tags when they are inside a string. Straight up:
    echo '<?xml version="1.0" encoding="UTF-8" ?>'; works just fine.

    All those nit-picky points said, your explanation is dead on.

  8. What I heard was that in PHP 5.4, the <?= was going to be possible to be used by default because it wouldn't conflict with the XML header. So, if I got that story right, then in the future we won't have to keep using the annoying <?php echo statements and can stick with the shorter <?= syntax, but will still be required to use <?php for control structures. Note also that I've been in the trenches with PHP since the days of like PHP3 (when I first used this tutorial:http://www.devshed.com/c/a/PHP/PHP3-Introduction/) and I've yet to meet a client with a web hosting plan that REQUIRES long open tags. One hundred percent of my clients since like the year 2000 had hosting plans that supported short open tags by default.

    I prefer the <?= because it's less typing.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.