Is there any difference or associated risk opening with the following PHP variations?
<? echo "hello world!"; ?>
<?php echo "hello world!"; ?>
<?="hello world!"?>
Also, is it necessary to close all scripts with ?>
views:
243answers:
3
+14
A:
The difference is that some servers might have the first and last examples disabled via short_open_tag. So if you want your code to be as portable as possible you should use the full <?php, otherwise when you move your code to a new server you might find it doesn't work as expected. Also using the short tags can cause clashes if you try doing <?xml type declarations. As far as security, using short tags can theoretically be dangerous if someone decides to turn short_open_tag off; code using that tag would then be plain-text and broadcast to all (check the comments for more)
As for your other question, omitting the closing tags is to prevent whitespace from being accidentally outputted to the browser, as this would mess some scripts up, particularly those trying to output headers of any kind. This is why the Zend Programming Guide recommends not closing your PHP tags.
Now that I got all that out of the way, unless I'm working on something that is open source I personally use short open tags and I close all of my PHP tags. This is because I am usually in control of my environment and I'm of the opinion that a) <?= is just too handy, and b) if you open something you ought to close it. The "best practices", however, don't really agree with that.
Paolo Bergantino
2009-05-16 05:21:51
So if you know the capabilities of the server, it doesn't matter which is used?
Peter
2009-05-16 05:22:32
Is there reason for disabling these other two examples, are they somehow less secure?
Peter
2009-05-16 05:23:14
Paolo was pointing out that when porting your code to different systems, you need to consider their configurations.
strager
2009-05-16 05:23:42
@Peter: Some other languages/libraries use the <? and ?> tags, so disabling them gets PHP out of the way.
musicfreak
2009-05-16 05:25:10
I have had a hosting provider decide to turn off short tags (without notification), leaving one of my older projects literally as a bunch of text files in plain view. All the sensitive stuff was outside web root (of course), but I'd definitely call that a security risk!
da5id
2009-05-16 05:28:27
+5
A:
Portability can be important when you don't control the hosting. For example, when I wrote some PHP programs that were hosted on my college's hosting, they worked fine until they changed the configuration to disallow the syntax they broke a bunch of pages.
Even if it works at the time, if you aren't in control of the hosting there are no guarantees.
ghills
2009-05-16 05:26:43
+1 because I agree with all your points, however, I had to do due diligence and list out the reasons why people claim not using short tags is the best practice.
Paolo Bergantino
2009-05-16 05:32:46
@Paolo: afaik it just boils down to the option might be disabled and XML PIs. It's a reasonable question and reasonable stance to never use short form. I just always do.
cletus
2009-05-16 05:35:05
It does seem strange that the consensus is to lean towards <?php but nobody does due to laziness or habit?
Peter
2009-05-16 05:37:09
I actually always use <?php in my own code, even when I control the environment. I want to always use the same tag, and <?php is the only one that avoids all potential problems.
dirtside
2009-05-16 14:51:42