What’s the deal with short_open_tag?

A friend asked me today:

Why isn’t short_open_tag set to On in php.ini at [servers you set up] or in general?

Basically short_open_tag allows you to use <? and <?= in addition to <?php when formatting code. The latter can be very useful if you are using PHP as a templating language—like with Savant or no templating system at all.

Many people think that there is a security reason for this. For the life of me, I can’t really see the security problem with the setting though I can see the security problem with the coding. That is… if you code using short_open_tags, then you run the risk of running that code on a server where this variable it is off somewhere and suddenly you are dumping PHP code to people’s browsers. But that almost never happens and really if you have a configuration issue, you have bigger problems.

The real reason is simply that it violates valid XML markup to use short tags. Simply put, let’s say you have an example where your PHP page has to generate a valid XML file that needs a XML directive.

<?xml version="1.0" ?>

With short_open_tags, this will generate a fatal error in the PHP engine! The workaround is to do something nasty like

echo '<'.'?xml version="1.0" ?>';

(or some such). As more websites contained XHTML or some weird sort of sacrifice to the Gods of all things XML (SOAP, XMLRPC, REST-XML), it was sooner convenient to admit defeat and just start coding in valid XML markup.

It violates valid xml. It was not recommended for use because it isn’t guaranteed to be on everywhere. Ever since then people have been in the habit of not using short tags just in case they are off. Soon, it became part of the php.ini-recommended and short tags, like asp_tags and the alternative syntax for control structures got relegated to the dustbin of history.

What is the alternative syntax for control structures? Let’s not go there. 😉