Are PHP short tags acceptable to use?

    |
  • Added:
  • |
  • In: Basic PHP

Here's the information according to the official documentation:

There are four different pairs of opening and closing tags which can be used in PHP. Two of those, <?php ?> and <script language="php"> </script>, are always available. The other two are short tags and ASP style tags, and can be turned on and off from the php.ini configuration file. As such, while some people find short tags and ASP style tags convenient, they are less portable, and generally not recommended.

In my experience most servers do have short tags enabled. Typing

<?= 

is far more convenient than typing

<?php echo 

The programmers convenience is an important factor, so why are they not recommended?

This Question Has 24 Answeres | Orginal Question | MDCore

To avoid portability issues, start PHP tags with <?php and in case your PHP file is purely PHP, no HTML, you don't need to use the closing tags.

IMHO people who use short tags often forget to escape whatever they're echoing. It would be nice to have a template engine that escapes by default. I believe Rob A wrote a quick hack to escape short tags in Zend Frameworks apps. If you like short tags because it makes PHP easier to read. Then might Smarty be a better option?

{$myString|escape} 

to me that looks better than

<?= htmlspecialchars($myString) ?> 

They're not recommended because it's a PITA if you ever have to move your code to a server where it's not supported (and you can't enable it). As you say, lots of shared hosts do support shorttags but "lots" isn't all of them. If you want to share your scripts, it's best to use the full syntax.

I agree that <? and <?= are easier on programmers than <?php and <?php echo but it is possible to do a bulk find-and-replace as long as you use the same form each time (and don't chuck in spaces (eg: <? php or <? =)

I don't buy readability as a reason at all. Most serious developers have the option of syntax highlighting available to them.

As ThiefMaster mentions in the comments, as of PHP 5.4, <?= ... ?> tags are supported everywhere, regardless of shorttags settings. This should mean they're safe to use in portable code but that does mean there's then a dependency on PHP 5.4+. If you want to support pre-5.4 and can't guarantee shorttags, you'll still need to use <?php echo ... ?>.

Also, you need to know that ASP tags <% , %> , <%= , and script tag are removed from PHP 7. So if you would like to support long-term portable code and would like switching to the most modern tools consider changing that parts of code.

Note: Starting in PHP 5.4 the short tag, <?=, is now always available.

One situation that is a little different is when developing a CodeIgniter application. CodeIgniter seems to use the shorttags whenever PHP is being used in a template/view, otherwise with models and controllers it always uses the long tags. It's not a hard and fast rule in the framework, but for the most part the framework and a lot of the source from other uses follows this convention.

My two cents? If you never plan on running the code somewhere else, then use them if you want. I'd rather not have to do a massive search and replace when I realize it was a dumb idea.

Let's face it. PHP is ugly as hell without short tags.

You can enable them in a .htaccess file if you can't get to the php.ini:

php_flag short_open_tag on 

I'm too fond of <?=$whatever?> to let it go. Never had a problem with it. I'll wait until it bites me in the ass. In all seriousness, 85% of (my) clients have access to php.ini in the rare occasion they are turned off. The other 15% use mainstream hosting providers, and virtually all of them have them enabled. I love 'em.

http://uk3.php.net/manual/en/language.basic-syntax.phpmode.php has plenty of advice, including:

while some people find short tags and ASP style tags convenient, they are less portable, and generally not recommended.

and

note that if you are embedding PHP within XML or XHTML you will need to use the <?php ?> tags to remain compliant with standards.

and

Using short tags should be avoided when developing applications or libraries that are meant for redistribution, or deployment on PHP servers which are not under your control, because short tags may not be supported on the target server. For portable, redistributable code, be sure not to use short tags.

Because the confusion it can generate with XML declarations. Many people agree with you, though.

An additional concern is the pain it'd generate to code everything with short tags only to find out at the end that the final hosting server has them turned off...

It's good to use them when you work with a MVC framework or CMS that have separate view files.
It's fast, less code, not confusing for the designers. Just make sure your server configuration allows using them.

One has to ask what the point of using short tags is.

Quicker to type

MDCore said:

<?= is far more convenient than typing <?php echo

Yes, it is. You save having to type 7 characters * X times throughout your scripts.

However, when a script takes an hour, or 10 hours, or more, to design, develop, and write, how relevant is the few seconds of time not typing those 7 chars here and there for the duration of the script?

Compared to the potential for some core, or all, of you scripts not working if short tags are not turned on, or are on but an update or someone changing the ini file/server config stops them working, other potentials.

The small benefit you gain doesn't comes close to outweighing the severity of the potential problems, that is your site not working, or worse, only parts of it not working and thus a headache to resolve.

Easier to read

This depends on familiarity.
I've always seen and used <?php echo. So while <?= is not hard to read, it's not familiar to me and thus not easier to read.

And with front end/back end developer split (as with most companies) would a front end developer working on those templates be more familiar knowing <?= is equal to "PHP open tag and echo"?
I would say most would be more comfortable with the more logical one. That is, a clear PHP open tag and then what is happening "echo" - <?php echo.

Risk assessment
Issue = entire site or core scripts fail to work;

The potential of issue is very low + severity of outcome is very high = high risk

Conclusion

You save a few seconds here and there not having to type a few chars, but risk a lot for it, and also likely lose readability as a result.

Front or back end coders familiar with <?= are more likely to understand <?php echo, as they're standard PHP things - standard <?php open tag and very well known "echo".
(Even front end coders should know "echo" or they simply wont be working on any code served by a framework).

Whereas the reverse is not as likely, someone is not likely to logically deduce that the equals sign on a PHP short tag is "echo".

Short tags are coming back thanks to Zend Framework pushing the "PHP as a template language" in their default MVC configuration. I don't see what the debate is about, most of the software you will produce during your lifetime will operate on a server you or your company will control. As long as you keep yourself consistent, there shouldn't be any problems.

UPDATE

After doing quite a bit of work with Magento, which uses long form. As a result, I've switched to the long form of:

<?php and <?php echo 

over

<? and <?= 

Seems like a small amount of work to assure interoperability.

<? is disabled by default in newer versions. You can enable this like described Enabling Short Tags in PHP.

  • Short tags are acceptable to use in cases where you are certain the server will support it and that your developers will understand it.
  • Many servers do not support it, and many developers will understand it after seeing it once.
  • I use full tags to ensure portability, since it's really not that bad.

With that said, a friend of mine said this, in support of alternate standardized asp-style tags, like <% rather than <?, which is a setting in php.ini called asp_tags. Here is his reasoning:

... arbitrary conventions should be standardized. That is, any time we are faced with a set of possibilities that are all of equal value - such as what weird punctuation our programming language should use to demarcate itself - we should pick one standard way and stick with it. That way we reduce the learning curve of all languages (or whatever the things the convention pertains to).

Sounds good to me, but I don't think any of us can circle the wagons around this cause. In the meantime, I would stick to the full <?php.

Convert <? (without a trailing space) to <?php (with a trailing space):

find . -name "*.php" -print0 | xargs -0 perl -pi -e 's/<\?(?!php|=|xml|mso| )/<\?php /g' 

Convert <? (with a trailing space) to <?php (retaining the trailing space):

find . -name "*.php" -print0 | xargs -0 perl -pi -e 's/<\? /<\?php /g' 

The problem with this whole discussion lies in the use of PHP as a templating language. No one is arguing that tags should be used in application source files.

However PHP's embeddable syntax allows it to be used as a powerful template language, and templates should be as simple and readable as possible. Many have found it easier to use a much slower, add-on templating engine like Smarty, but for those purists among us who demand fast rendering and a pure code base, PHP is the only way to write templates.

The ONLY valid argument AGAINST the use of short tags is that they aren't supported on all servers. Comments about conflicts with XML documents are ludicrous, because you probably shouldn't be mixing PHP and XML anyway; and if you are, you should be using PHP to output strings of text. Security should never be an issue, because if you're putting sensitive information like database access credentials inside of template files, well then, you've got bigger issues!

Now then, as to the issue of server support, admittedly one has to be aware of their target platform. If shared hosting is a likely target, then short tags should be avoided. But for many professional developers (such as myself), the client acknowledges (and indeed, depends on the fact) that we will be dictating the server requirements. Often I'm responsible for setting up the server myself.

And we NEVER work with a hosting provider that does not give us absolute control of the server configuration -- in such a case we could count on running to much more trouble than just losing short tag support. It just doesn't happen.

So yes -- I agree that the use of short tags should be carefully weighed. But I also firmly believe that it should ALWAYS be an option, and that a developer who is aware of his environment should feel free to use them.

I read this page after looking for information on the topic, and I feel that one major issue has not been mentioned: laziness vs. consistency. The "real" tags for PHP are <?php and ?>. Why? I don't really care. Why would you want to use something else when those are clearly for PHP? <% and %> mean ASP to me, and <script ..... means Javascript (in most cases). So for consistency, fast learning, portability, and simplicity, why not stick to the standard?

On the other hand I agree that short tags in templates (and ONLY in templates) seem useful, but the problem is that we've just spent so much time discussing it here, that it would likely take a very long time to have actually wasted that much time typing the extra three characters of "php"!!

While having many options is nice, it's not at all logical and it can cause problems. Imagine if every programming language allowed 4 or more types of tags: Javascript could be <JS or < script .... or <% or <? JS.... would that be helpful? In the case of PHP the parsing order tends to be in favor of allowing these things, but the language is in many other ways not flexible: it throws notices or errors upon the slightest inconsistency, yet short tags are used often. And when short tags are used on a server that doesn't support them, it can take a very long time to figure out what is wrong since no error is given in some cases.

Finally, I don't think that short tags are the problem here: there are only two logical types of PHP code blocks-- 1) regular PHP code, 2) template echoes. For the former, I firmly believe that only <?php and ?> should be allowed just to keep everything consistent and portable. For the latter, the <?=$var?> method is ugly. Why must it be like this? Why not add something much more logical? <?php $var ?> That would not do anything (and only in the most remote possibilities could it conflict with something), and that could easily replace the awkward <?= syntax. Or if that's a problem, perhaps they could use <?php=$var?> instead and not worry about inconsistencies.

At the point where there are 4 options for open and close tags and the random addition of a special "echo" tag, PHP may as well have a "custom open/close tags" flag in php.ini or .htaccess. That way designers can choose the one they like best. But for obvious reasons that's overkill. So why allow 4+ options?

In case anyone's still paying attention to this... As of PHP 5.4.0 Alpha 1 <?= is always available:

http://php.net/releases/NEWS_5_4_0_alpha1.txt

So it looks like short tags are (a) acceptable and (b) here to stay. For now at least...

  • Short tags are not turned on by default in some webservers (shared hosts, etc.), so code portability becomes an issue if you need to move to one of these.

  • Readability may be an issue for some. Many developers may find that <?php catches the eye as a more obvious marker of the beginning of a code block than <? when you scan a file, particularly if you're stuck with a code base with HTML and PHP tightly inter-woven.

<?php ?> are much better to use since developers of this programming language has massively updated their core-language. You can see the difference between the short tags and long tags.

Short tags will be highlighted as light red while the longer ones are highlighted darker!

However, echoing something out, for example: <?=$variable;?> is fine. But prefer the longer tags. <?php echo $variable;?>

Following is the wonderful flow diagram of the same:

decision making tree of the use of <?=

Source: similiar question on Programmers Stack Exchange

Starting with PHP 5.4, the echo shortcut is a separate issue from short tags, as the echo shortcut will always be enabled. It's a fact now:

So the echo shortcut itself (<?=) is safe to use now.

No, and they're being phased out by PHP 6 so if you appreciate code longevity, simply don't use them or the <% ... %> tags.

If you care about XSS then you should use <?= htmlspecialchars(…) ?> most of the time, so a short tag doesn't make a big difference.

Even if you shorten echo htmlspecialchars() to h(), it's still a problem that you have to remember to add it almost every time (and trying to keep track which data is pre-escaped, which is unescaped-but-harmless only makes mistakes more likely).

I use a templating engine that is secure by default and writes <?php tags for me.


Search
I am...

Sajjad Hossain

I have five years of experience in web development sector. I love to do amazing projects and share my knowledge with all.

NEED HOSTING?
Are you searching for Good Quality hosting?
You can Try It!
Connect Social With PHPAns
Top