Why Do Some Scripts Omit the Closing PHP Tag, '≫'

Why do some scripts omit the closing PHP tag, '?>'?

Well, omitting the closing tag is just one solution for avoiding blanks and other characters at the end of file. For example any char which is accidentally added behind the closing tag would trigger an error when trying to modify header info later.

Removing the closing tag is kind of "good practice" referring to many coding guidelines.

Why would one omit the close tag?

Sending headers earlier than the normal course may have far reaching consequences. Below are just a few of them that happened to come to my mind at the moment:

  1. While current PHP releases may have output buffering on, the actual production servers you will be deploying your code on are far more important than any development or testing machines. And they do not always tend to follow latest PHP trends immediately.

  2. You may have headaches over inexplicable functionality loss. Say, you are implementing some kind payment gateway, and redirect user to a specific URL after successful confirmation by the payment processor. If some kind of PHP error, even a warning, or an excess line ending happens, the payment may remain unprocessed and the user may still seem unbilled. This is also one of the reasons why needless redirection is evil and if redirection is to be used, it must be used with caution.

  3. You may get "Page loading canceled" type of errors in Internet Explorer, even in the most recent versions. This is because an AJAX response/json include contains something that it shouldn't contain, because of the excess line endings in some PHP files, just as I've encountered a few days ago.

  4. If you have some file downloads in your app, they can break too, because of this. And you may not notice it, even after years, since the specific breaking habit of a download depends on the server, the browser, the type and content of the file (and possibly some other factors I don't want to bore you with).

  5. Finally, many PHP frameworks including Symfony, Zend and Laravel (there is no mention of this in the coding guidelines but it follows the suit) and the PSR-2 standard (item 2.2) require omission of the closing tag. PHP manual itself (1,2), Wordpress, Drupal and many other PHP software I guess, advise to do so. If you simply make a habit of following the standard (and setup PHP-CS-Fixer for your code) you can forget the issue. Otherwise you will always need to keep the issue in your mind.

Bonus: a few gotchas (actually currently one) related to these 2 characters:

  1. Even some well-known libraries may contain excess line endings after ?>. An example is Smarty, even the most recent versions of both 2.* and 3.* branch have this. So, as always, watch for third party code. Bonus in bonus: A regex for deleting needless PHP endings: replace (\s*\?>\s*)$ with empty text in all files that contain PHP code.

Does omitting the closing tag of a PHP block at the end of a file remove any line feeds or whitespace,if present in a respective file?

I know that the closing tag of a block of PHP code automatically
implies a semicolon so we do not need to have a semicolon terminating
the last line of a PHP block.

Means <?php echo '' ?> is fine.

The closing tag for the block will include the immediately trailing
newline if one is present.

Means

<?php echo '' ?>
\n
\n
\n

Will output 3 line breaks.

But I think your asking, whether the following will output line breaks. 

<?php echo '';
\n
\n
\n

Which it wont, for the same reason PHP comments don't get outputted.

PSR-2 guidelines 2.2. Files.

  • All PHP files MUST use the Unix LF (linefeed) line ending.

  • All PHP files MUST end with a single blank line. (not 10 ;p)

  • The closing ?> tag MUST be omitted from files containing only PHP.

PHP closing tag unnecessary?

One reason people avoid the closing ?> tag is avoid "the headers already sent error" due to line breaks or other invisible characters after the ?> tag.

Should I close my PHP tags?

If it's a PHP file that contains no HTML, then don't close the tag.

This stops you from accidentally adding whitespace at the end of the file, therefore invoking browser output, and by extension headers, etc, which can cause a world of pain.

Execute JavaScript for XSS without script tags

  1. Try putting in different types of strings with special characters and look if any of these get encoded or outputed. (I personaly use '';!--"<XSS>=&{()})
  2. Now you have three options:

    1. Inside a HTML Tag: The <> won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind of onload=alert(1) or other event. If <> is allowed, you can break out and create your own tag '><img src=0 onerror=alert(1)>
    2. Outside of HTML Tag: the <> are important. With these you can open a new Tag and the whole world is below your feet (or so...)
    3. Inside Javascript: Well...if you can break out of a string with '", then you can basically write ';alert(1)
  3. Craft your XSS accordingly to your encoded characters and the surrounding of where the string get's outputed

<XSS> disappears entirely: the application uses some kind of strip_tags . If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.

Crafting your own payload

There are various methods to achieve this and too much to name them all.
Look on these two sites, which have a lot of the methods and concept to construct your own.
It comes down to: What the page allows to go through.

  1. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28short.29
  2. https://html5sec.org/

Parse error: Syntax error, unexpected end of file in my PHP code

You should avoid this (at the end of your code):

{?>

and this:

<?php}

You shouldn't put brackets directly close to the open/close php tag, but separate it with a space:

{ ?>
<?php {

also avoid <? and use <?php

PSR-2 coding standard: why no closing PHP tag in files containing only PHP?

It is a good universal rule not using closing tag in php scripts. Note that everything after that closing tag is sent to client (browser) even white characters so if you're using closing tag and new line or any other white character it will be sent to browser. In most cases this behavior is not desirable.


Related Topics

What Does $$ (Dollar Dollar or Double Dollar) Mean in PHP

PHP Multiple Checkbox Array

Force File Download With PHP Using Header()

PHP Array Combinations

Upgrading My Encryption Library from Mcrypt to Openssl

"Invalid Parameter Number: Parameter Was Not Defined" Inserting Data

MySQLi_Real_Escape_String() Expects Exactly 2 Parameters, 1 Given

Can You "Compile" PHP Code and Upload a Binary-Ish File, Which Will Just Be Run by the Byte Code Interpreter

What's the Difference Between Echo, Print, and Print_R in PHP

Performance of Foreach, Array_Map With Lambda and Array_Map With Static Function

How to Send a Get Request from PHP

How to Create an Array For Json Using PHP

Downloading a Large File Using Curl

Generating Unique Random Numbers Within a Range

Remove All HTML Tags from PHP String

Examples of SQL Injections Through Addslashes()

Find Difference Between Two Datetimes and Format At Y-M-D H:I:S

PHP Check If Date Between Two Dates


Leave a reply



Submit