go to bug id or search bugs for
AFAIK the recommendation has been false for quite some time but the default (and docs) don't reflect this. Could this inconsistency be rectified?
Add a Patch
Add a Pull Request
there are two things:
* it's recommended for years to tun it off
* turning it off has security risks
when you change that default on any existing environment you probably leak code and credentials without taking notice
if you care your "php.ini" would have it disabled for years and if you don#t care changing the default only introduces problems with no gain
> there are two things:
http://php.net/manual/en/ini.core.php#ini.short-open-tag doesn't mention any of this.
> when you change that default on any existing environment you probably leak code and credentials without taking notice
That's already the case with the php.ini change.
in which world is when "you change the default" the same as "That's already the case with the php.ini change"?
In a world where the effective value is set in php.ini rather then the php binary for a majority of users.
If you're really afraid of changing the default there's a third option: remove the default and require the value to be explicitly set.
The summarize the current situation, because it's rather odd:
* In both php.ini-production and php.ini-development short_open_tag is off.
* The default value (without ini) is short_open_tag=on *unless* --disable-short-tags has been specified during ./configure. On Windows there doesn't seem to be an equivalent for --disable-short-tags, so on Windows the default is always on.
I agree that the current situation is quite odd. It would probably make sense to make short_open_tag=off the default and convert --disable-short-tags into --enable-short-tags for people who would like to influence the default.
Does --disable-short-tags 'only' change the default or does it disable short tags unconditionally, even if short_open_tags = true in the .ini?
@olafvdspek It only changes the default. The ini setting still wins in the end.
I've sent a mail to internals regarding this issue: https://marc.info/?l=php-internals&m=154642087106001