Are they equal in safeness? I was informed that using
<?=$function_here?>
was less safe, and that it slows down page load times. I am strictly biased to using echo.
What are the advantages/disadvantages?
Add a comment
|
6 Answers
First of all, <?= is not a short open tag, but a shorthand echo, which is the same as <?php echo. And it cannot be disabled. So, it's safe to use in the meaning it is always enabled.
Speaking of safety in terms of security, the output must be always encoded according the the output medium rules.
For example, when echoing data inside HTML, it must be HTML-encoded:
<?= htmlspecialchars($function_here, ENT_QUOTES) ?>
Or, when echoing data inside JavaScript, it must be JavaScript-encoded:
<script>var=<?= json_encode($function_here) ?>
Or, when it's going to be both HTML and JS, then both encodings must be used:
<?php foreach($links as $label => $url): ?>
<br>
<form method="post">
<button class="my" onclick="<?=htmlspecialchars("window.open(".json_encode($url).")", ENT_QUOTES) ?>">
<?=htmlspecialchars($label, ENT_QUOTES) ?>
</button>
</form>
<?php endforeach ?>
Speaking of short open tags, there is only one, <?, and it's not always enabled (see the short_open_tag directive).
Actually, in the php.ini-production file provided with PHP 5.3.0, they are disabled by default:
$ grep 'short_open' php.ini-production
; short_open_tag
short_open_tag = Off
So, using them in an application you want to distribute might not be a good idea: your application will not work if they are not enabled.
<?php, on the other side, cannot be disabled -- so, it's safest to use this one, even if it is longer to write.
4 Comments
Slawek
Maybe using GD or CURL or PHP at all is not a good idea too, because they're external modules and can be turned off on some lame shared hosting providers? It's complete BS they're almost always turned ON.
Pascal MARTIN
Considering they are turned off in the default production configuration, I think they'll be turned on less and less often ;; considering that not using them is simple/easy... well, you are of course free of using whatever syntax you want, I just hope for you that you will not have to deploy your application on a server that has the default configuration for this directive ;-)
Slawek
Default configuration for PHP, mysql and apache isn't suitable for production usage and we all know it :) You're only advocating writing unreadable code... because of what? One server out of 40 may not support short tags? :) ... Beside This directive also affected the shorthand <?= before PHP 5.4.0, which is identical to <? echo. Use of this shortcut required short_open_tag to be on. Since PHP 5.4.0, <?= is always available.
Pascal MARTIN
I unfortunately don't have numbers to back up my theory, but I wouldn't take the 1/40 chance on this point (and, in fact, I am not -- and I work in a company in which we configure our servers ourselves, and do not depend on an external hosting service) ;; I should add that PHP 5.4 is not released (yet -- it should be in a few days/weeks), and it will takes months to be installed on 1/40 servers out there (not to mention the time it'll take to have it installed on 50% of them... )
http://php.net/manual/en/language.basic-syntax.phpmode.php states:
Starting with PHP 5.4, short echo tag is always recognized and valid, regardless of the
short_open_tagsetting.
short_open_tag Off or On doesn't matter anymore.
So now you can, without concern, put tags like this in your templates:
<?= (($test) ? "val1" : "val2") ?>
It is official now, the "short echo tag" is something very different than the "short tag".
1 Comment
Scott C Wilson
This is the correct modern answer. Some of the older answers are confusing short tags (which can be turned off and are deprecated) with short echo tags (which cannot be turned off).
Echo is generally just better to use because...
- It supports good programming style.
- It can't be turned off in php.ini (short tags can be)
Short tags will be removed in PHP 6)
But, they are generally the same. See also:
8 Comments
mpen
what?! 6 is removing them? lame-sauce! if i'm in charge of the server i don't care about portability.
<?= is so much nicer than <?php echo
mauris
Worse of all: <script language="php"> ... </script>
DGM
The php community's aversion to short tags just baffles me; removing them altogether n php6 is just final proof to me that the php design team are nuts. <?= $foo ?> is so much cleaner in a template than <?php echo $foo; ?>
Your Common Sense
php6 reason is just not true
Gordon
PHP6 or whatever the next version will be called will NOT remove short-open-tags. If anything they will be disabled by default.
|
Apart from the whole semi-religious debate on whether or not using short tags are a good idea and whether or not it should be considered deprecated, the original question was on how safe or unsafe they are to use.
Simply put, if you use short tags on a server that doesn't support them, parts of your PHP code may be exposed which can be considered a security vulnerability.
Comments
Just to add another source of PSR: http://www.php-fig.org/psr/psr-1/
PHP code MUST use the long tags or the short-echo tags; it MUST NOT use the other tag variations.
specifying:
<?php ?> and <?= ?>
Comments
You should use <?= and ask your system administrator/host to turn the short_open_tags on, it doesn't have any cons to be turned off, also it has no slowdown, the parser look for the <? the same way it look for <?php inside the index, binary search (perhaps <?PHP is slow due to lowering on parsing).
Also, already on PHP 5.5 <?= will be turned on by default and on long term <?= will be preferred while <?php echo semi deprecated.
If not sure yet.. A bit of googling helps a lot =D
