Is it bad practice to use

  • I've come across this PHP tag <?= ?> recently and I am reluctant to use it, but it itches so hard that I wanted to have your take on it. I know it is bad practice to use short tags <? ?> and that we should use full tags <?php ?> instead, but what about this one : <?= ?>?

    It would save some typing and it would be better for code readability, IMO. So instead of this:

    <input name="someVar" value="<?php echo $someVar; ?>">
    

    I could write it like this, which is cleaner :

    <input name="someVar" value="<?= $someVar ?>">
    

    Is using this operator frowned upon?

    The problem with this kind of question is that it is so opinionated. There "technically" isn't a right or wrong way. Some argue for, some against, its all preference. So in the end its up to you.

    Avoid the closing tag in any form, if you can - i.e. the file contains only php code(no html etc). If you have a closing tag, any characters after it will be output to the browser (for a web app) - which can result in very hard to debug problems. For more : http://stackoverflow.com/a/4453835/49560

    Non-opinion related: Watch out because `echo`leads very easily to XSS, and you should better rely on context-dedicated echoing method (ie: having a `function html($x) { echo htmlentities($x,...); }` and un `html($someVar);` instead of `echo $someVar` or using `echo json_encode($x);` for JS context). This then makes `

  • zzzzBov

    zzzzBov Correct answer

    8 years ago

    History

    Before the misinformation train goes too far out of the station, there are a bunch of things you need to understand about PHP short tags.

    The primary issue with PHP's short tags is that PHP managed to choose a tag (<?) that was used by another syntax, XML.

    With the option enabled, you weren't able to raw output the xml declaration without getting syntax errors:

    <?xml version="1.0" encoding="UTF-8" ?>
    

    This is a big issue when you consider how common XML parsing and management is.

    What about <?=?

    Although <? causes conflicts with xml, <?= does not. Unfortunately, the options to toggle it on and off were tied to short_open_tag, which meant that to get the benefit of the short echo tag (<?=), you had to deal with the issues of the short open tag (<?). The issues associated with the short open tag were much greater than the benefits from the short echo tag, so you'll find a million and a half recommendations to turn short_open_tag off, which you should.

    With PHP 5.4, however the short echo tag has been re-enabled separate from the short_open_tag option. I see this as a direct endorsement of the convenience of <?=, as there's nothing fundamentally wrong with it in and of itself.

    The problem is that you can't guarantee that you'll have <?= if you're trying to write code that could work in a wider range of PHP versions.

    ok, so now that that's all out of the way

    Should you use <?=?

    flowchart about whether or not to use the short echo tag

    I disagree with your snappy diagram. The correct answer is **99.99% YES** because most production environments are configured to use short tags. Supposing you blew it and they remove `

    @dukeofgaming, where are you getting your data about production environments being configured to use short tags? Disabling them is one of the most commonly suggested configurations that I've heard about, second only to disabling magic quotes. It also would make absolutely zero sense to have a dev environment that's different from production.

    Short tags were enabled by default until 5.3 http://www.php.net/manual/en/ini.core.php#ini.short-open-tag, most hosting services I know supported it with no problems and this was one of the reasons the Kohana framework used to encourage it. `

    @dukeofgaming, did you actually read my post? I personally support the use of `

    Yes, I did, and as I said, I just disagree with your snappy diagram. Particularly in the last part of the flow, because it won't disappear and there is no need to worry, in the drama-oriented PHP mailing list community this feature has no enemies whatsoever, and **tell you what, if it disappears I'll start a 200 Rep bounty for you to cash-in from this answer**.

    You're not worried that `

    That's precisely my point: *there is no need to worry*. I'd just put "Are you worried?" --yes--> "Go ahead and use them, there is no need to worry". It also feels like you are implying that leaving off closing tags is a bad practice, which is not.

    Comments aren't the right place for this discussion, if you're interested in continuing, send me an email and I'll be glad to discuss this further.

    It is worth noting that *Since PHP 5.4.0,

    +1 for Before the misinformation train goes too far out of the station. Love it

    -1 for not mentioning security implications.

    @ircmaxell mind sharing which security implications you're referring to so that I can fix this post?

    @ircmaxell, I happened to be referencing this answer again recently, and I noticed you still haven't clarified on your point about security implications. Is there a chance you could elaborate on your vague comment on security implications?

    @ircmaxell What are the security implications?

    Actually @zzzzBov, `````` is an XML processing instruction (PI) tag which is used *inside* XML documents. As such document is processed, when it reaches lines related to these instructions, a registered preprocessor subroutine should run and process the content of the PI tag, then replace it in, and move on. This is part of XML standard. And PHP specifically chose this tag to be compatible with this behaviour. That's why the language also is called "Hypertext Preprocessor". So overall, no, it should not be a huge problem to have ```

    And short-hand tag was introduced much later, which actually is in violation to XML specifications, since ```PIContent``` cannot contain ```?>``` string in it (considering the opening ```

    As of today, on April 2018, this answer is no more valid. PHP development team shut down *completely* old short tags (they are no more activable through the `php.ini` config file or `ini_set()` function), but did not remove the short echo tag ``, which is now suggested, instead. Check here https://secure.php.net/manual/en/language.basic-syntax.phptags.php Furthermore, I underline that PHP is a **preprocessor**, used to generate XML documents too. It means that in the vast majority of cases, no PHP directive would be sent to a generic client with PHP tags still unparsed by the server.

    That flowchart could be massively simplified now - nobody should be using PHP < 5.4 anymore, and the short echo tag has remained since (it has even outlasted the short open tag option). There's no path other than "go ahead" now.

    @thomasrutter if you follow the flow chart it is as accurate today as it was 6 years ago. Just because most people get a "yes you should use `

    I was not commentimg about its accuracy.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM