php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77378 Default to short_open_tags = false
Submitted: 2018-12-30 18:55 UTC Modified: 2021-03-04 12:41 UTC
From: olafvdspek at gmail dot com Assigned:
Status: Open Package: *General Issues
PHP Version: All OS:
Private report: No CVE-ID: None
 [2018-12-30 18:55 UTC] olafvdspek at gmail dot com
Description:
------------
AFAIK the recommendation has been false for quite some time but the default (and docs) don't reflect this. Could this inconsistency be rectified?

http://php.net/manual/en/ini.core.php#ini.short-open-tag

https://github.com/oerdnj/deb.sury.org/issues/1043


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-30 19:00 UTC] spam2 at rhsoft dot net
there are two things:

* it's recommended for years to tun it off
* turning it off has security risks

when you change that default on any existing environment you probably leak code and credentials without taking notice

if you care your "php.ini" would have it disabled for years and if you don#t care changing the default only introduces problems with no gain
 [2018-12-31 02:13 UTC] olafvdspek at gmail dot com
> there are two things:

http://php.net/manual/en/ini.core.php#ini.short-open-tag doesn't mention any of this.

> when you change that default on any existing environment you probably leak code and credentials without taking notice

That's already the case with the php.ini change.
 [2018-12-31 04:53 UTC] spam2 at rhsoft dot net
in which world is when "you change the default" the same as "That's already the case with the php.ini change"?
 [2018-12-31 10:31 UTC] olafvdspek at gmail dot com
In a world where the effective value is set in php.ini rather then the php binary for a majority of users.

If you're really afraid of changing the default there's a third option: remove the default and require the value to be explicitly set.
 [2019-01-02 09:16 UTC] nikic@php.net
The summarize the current situation, because it's rather odd:

 * In both php.ini-production and php.ini-development short_open_tag is off.
 * The default value (without ini) is short_open_tag=on *unless* --disable-short-tags has been specified during ./configure. On Windows there doesn't seem to be an equivalent for --disable-short-tags, so on Windows the default is always on.

I agree that the current situation is quite odd. It would probably make sense to make short_open_tag=off the default and convert --disable-short-tags into --enable-short-tags for people who would like to influence the default.
 [2019-01-02 09:22 UTC] olafvdspek at gmail dot com
Does --disable-short-tags 'only' change the default or does it disable short tags unconditionally, even if short_open_tags = true in the .ini?
 [2019-01-02 09:27 UTC] nikic@php.net
@olafvdspek It only changes the default. The ini setting still wins in the end.

I've sent a mail to internals regarding this issue: https://marc.info/?l=php-internals&m=154642087106001
 [2019-01-02 09:29 UTC] nikic@php.net
-PHP Version: 7.3.0 +PHP Version: All
 [2020-11-23 09:37 UTC] olafvdspek at gmail dot com
Thinking about this.. what's the benefit of short_open_tags = false?

Maybe the default should be short_open_tags = true instead?
If short open tags are bad, what about a run-time warning for them?
 [2021-03-04 12:27 UTC] cmb@php.net
>  what's the benefit of short_open_tags = false?

You can have XML files with PHP, for instance.
 [2021-03-04 12:41 UTC] olafvdspek at gmail dot com
> You can have XML files with PHP, for instance.

It's 2021, who's using XML? ;)
Surely it's possible to support both short open tags and XML..

But if somehow short open tags are deprecated / not recommended, IMO PHP should have an (optional?) deprecation warning when you're still using them.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 19:01:27 2024 UTC