PHP :: Request #77378 :: Default to short_open

[2018-12-30 19:00 UTC] spam2 at rhsoft dot net

there are two things:

* it's recommended for years to tun it off
* turning it off has security risks

when you change that default on any existing environment you probably leak code and credentials without taking notice

if you care your "php.ini" would have it disabled for years and if you don#t care changing the default only introduces problems with no gain

[2018-12-31 02:13 UTC] olafvdspek at gmail dot com

> there are two things:

http://php.net/manual/en/ini.core.php#ini.short-open-tag doesn't mention any of this.

> when you change that default on any existing environment you probably leak code and credentials without taking notice

That's already the case with the php.ini change.

[2018-12-31 04:53 UTC] spam2 at rhsoft dot net

in which world is when "you change the default" the same as "That's already the case with the php.ini change"?

[2018-12-31 10:31 UTC] olafvdspek at gmail dot com

In a world where the effective value is set in php.ini rather then the php binary for a majority of users.

If you're really afraid of changing the default there's a third option: remove the default and require the value to be explicitly set.

[2019-01-02 09:16 UTC] nikic@php.net

The summarize the current situation, because it's rather odd:

 * In both php.ini-production and php.ini-development short_open_tag is off.
 * The default value (without ini) is short_open_tag=on *unless* --disable-short-tags has been specified during ./configure. On Windows there doesn't seem to be an equivalent for --disable-short-tags, so on Windows the default is always on.

I agree that the current situation is quite odd. It would probably make sense to make short_open_tag=off the default and convert --disable-short-tags into --enable-short-tags for people who would like to influence the default.

[2019-01-02 09:22 UTC] olafvdspek at gmail dot com

Does --disable-short-tags 'only' change the default or does it disable short tags unconditionally, even if short_open_tags = true in the .ini?

[2019-01-02 09:27 UTC] nikic@php.net

@olafvdspek It only changes the default. The ini setting still wins in the end.

I've sent a mail to internals regarding this issue: https://marc.info/?l=php-internals&m=154642087106001

[2019-01-02 09:29 UTC] nikic@php.net

-PHP Version: 7.3.0 +PHP Version: All

[2020-11-23 09:37 UTC] olafvdspek at gmail dot com

Thinking about this.. what's the benefit of short_open_tags = false?

Maybe the default should be short_open_tags = true instead?
If short open tags are bad, what about a run-time warning for them?

[2021-03-04 12:27 UTC] cmb@php.net

>  what's the benefit of short_open_tags = false?

You can have XML files with PHP, for instance.

[2021-03-04 12:41 UTC] olafvdspek at gmail dot com

> You can have XML files with PHP, for instance.

It's 2021, who's using XML? ;)
Surely it's possible to support both short open tags and XML..

But if somehow short open tags are deprecated / not recommended, IMO PHP should have an (optional?) deprecation warning when you're still using them.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 21:01:29 2024 UTC