Are PHP Short Tags Acceptable to Use

Are PHP short tags acceptable to use?

There must be a clear distinction between the PHP short tag (<?) and shorthand echo tag (<?=)

The former is prohibited by the PHP Coding standard, mostly out of common sense because it's a PITA if you ever have to move your code to a server where it's not supported (and you can't enable it). As you say, lots of shared hosts do support shorttags but "lots" isn't all of them. If you want to share your scripts, it's best to use the full syntax.

Whereas the shorthand echo tag <?= cannot be disabled and therefore is fully acceptable to use.

I agree that <? is easier on programmers than <?php but it is possible to do a bulk find-and-replace as long as you use the same form each time.

I don't buy readability as a reason at all. Most serious developers have the option of syntax highlighting available to them.

As ThiefMaster mentions in the comments, as of PHP 5.4, <?= ... ?> tags are supported everywhere, regardless of shorttags settings. This should mean they're safe to use in portable code but that does mean there's then a dependency on PHP 5.4+. If you want to support pre-5.4 and can't guarantee shorttags, you'll still need to use <?php echo ... ?>.

Also, you need to know that ASP tags <% , %> , <%= , and script tag are removed from PHP 7. So if you would like to support long-term portable code and would like switching to the most modern tools consider changing that parts of code.

is Short tag good practice in php?

Short tags <? doSomething(); ?> are considered to be a bad practice because they are not XML compliant... whether you care about that or not is another issue.

Short echos <?= $myString ?> are not a bad practice, it's just not the best. PHP is a templating engine, however much better engines are available (Twig, Mustache, Smarty, etc). Most frameworks include their own templating engine so short tags don't need to be used.

Up to and including PHP 5.3, these types of tags were considered to be the same thing. Since PHP 5.4 however they've been separated out and short echo is allowed without enable-short-tags being turned on. Since PHP 5.3 is no longer supported, the only concern is if you're being forced to use an unsupported version, which obviously has it's own implications. :)

How to enable PHP short tags?

Set

short_open_tag=On

in php.ini

And restart your Apache server.

Is it now safe to use PHP echo short tags?

I wouldn't use the words "totally" and "completely", but with PHP5.4 the "short-open-and-echo"-syntax is part of the core and thus always available. Remind, that I only talk about <?= ?> and not the "regular" short-open-tags <? ?>.

Short Open Tag and ?=

Since there is no formal answer, I put together some of the comments, which -in my opinion- actually answer the question:

<?= is no longer considered a short open tag. The reason why <? was discouraged was because it was ambiguous under some situations, i.e <?xml ... ?> or other markup languages.

PHP short open tag vs long open tag

<?php is the official standard. I've never encountered a problem where a browser was confused, but just using <? can also declare XML and might not be the best habit to form.

I'll tell you this though - other programmers will always appreciate the standard. I would go with <?php for sure.

PHP Short hand tags 7.x

Is the correct php.ini being loaded?

<?php phpinfo(); ?>

Check for Loaded Configuration File

PHP include runs when in short tags even when short tags are turned off

The included files are not read on the compilation phase but during runtime.

Since your PHP interpreter doesn't interpret the code in short tags and dumps it directly to the browser, it is not guilty for replacing the include statements with the content of the included files.

There is no php.ini setting that could persuade it to behave like this.

I can imagine other causes:

• a PHP extension that replaces the include/require statements with the content of the included files;
• a pre-processing script that does the same and/or combines multiple PHP files into a single one (Symfony does something similar);

The purpose of such a processing is to optimize the script by minimizing its disk access.

PHP echo vs PHP short echo tags

First of all, <?= is not a short open tag, but a shorthand echo, which is the same as <?php echo. And it cannot be disabled. So, it's safe to use in the meaning it is always enabled.

Speaking of safety in terms of security, the output must be always encoded according the the output medium rules.

For example, when echoing data inside HTML, it must be html-encoded:

 <?= htmlspecialchars($function_here, ENT_QUOTES) ?>

Or, when echoing data inside JavasScript, it must be javascript encoded:

 <script>var=<?= json_encode($function_here) ?>

Or, when it's going to be both HTML and JS, then both encodings must be used:

<?php foreach($links as $label => $url): ?>
    <br>
    <form method="post">
        <button class="my" onclick="<?=htmlspecialchars("window.open(".json_encode($url).")", ENT_QUOTES) ?>">
            <?=htmlspecialchars($label, ENT_QUOTES) ?>
        </button>
    </form>
<?php endforeach ?>

Speaking of short open tags, there is only one, <?, and it's not always enabled (see the short_open_tag directive).

Actually, in the php.ini-production file provided with PHP 5.3.0, they are disabled by default:

$ grep 'short_open' php.ini-production
; short_open_tag
short_open_tag = Off

So, using them in an application you want to distribute might not be a good idea: your application will not work if they are not enabled.

<?php, on the other side, cannot be disabled -- so, it's safest to use this one, even if it is longer to write.

---

Related Topics