216

I've come across this PHP tag <?= ?> recently and I am reluctant to use it, but it itches so hard that I wanted to have your take on it. I know it is bad practice to use short tags <? ?> and that we should use full tags <?php ?> instead, but what about this one : <?= ?>?

It would save some typing and it would be better for code readability, IMO. So instead of this:

<input name="someVar" value="<?php echo $someVar; ?>">

I could write it like this, which is cleaner :

<input name="someVar" value="<?= $someVar ?>">

Is using this operator frowned upon?

Improve this question
3
  • 13
    The problem with this kind of question is that it is so opinionated. There "technically" isn't a right or wrong way. Some argue for, some against, its all preference. So in the end its up to you. Commented Jun 5, 2012 at 21:43
  • Avoid the closing tag in any form, if you can - i.e. the file contains only php code(no html etc). If you have a closing tag, any characters after it will be output to the browser (for a web app) - which can result in very hard to debug problems. For more : stackoverflow.com/a/4453835/49560 Commented Apr 22, 2016 at 6:46
  • Non-opinion related: Watch out because echoleads very easily to XSS, and you should better rely on context-dedicated echoing method (ie: having a function html($x) { echo htmlentities($x,...); } and un html($someVar); instead of echo $someVar or using echo json_encode($x); for JS context). This then makes <?= tags a bad practice because it means you have HTML-escaped the variable content in another place, and so that other place must magically know this variable has to be HTML escaped because it's echoed in HTML context. Commented Mar 23, 2019 at 12:48

8 Answers 8

Reset to default
242

History

Before the misinformation train goes too far out of the station, there are a bunch of things you need to understand about PHP short tags.

The primary issue with PHP's short tags is that XML managed to choose a tag (<?) that was already used by PHP.

With the option enabled, you weren't able to raw output the xml declaration without getting syntax errors:

<?xml version="1.0" encoding="UTF-8" ?>

This is a big issue when you consider how common XML parsing and management is.

What about <?=?

Although <? causes conflicts with xml, <?= does not. Unfortunately, the options to toggle it on and off were tied to short_open_tag, which meant that to get the benefit of the short echo tag (<?=), you had to deal with the issues of the short open tag (<?). The issues associated with the short open tag were much greater than the benefits from the short echo tag, so you'll find a million and a half recommendations to turn short_open_tag off, which you should.

With PHP 5.4, however the short echo tag has been re-enabled separate from the short_open_tag option. I see this as a direct endorsement of the convenience of <?=, as there's nothing fundamentally wrong with it in and of itself.

The problem is that you can't guarantee that you'll have <?= if you're trying to write code that could work in a wider range of PHP versions.

ok, so now that that's all out of the way

Should you use <?=?

flowchart about whether or not to use the short echo tag

Improve this answer
20
  • 84
    I disagree with your snappy diagram. The correct answer is 99.99% YES because most production environments are configured to use short tags. Supposing you blew it and they remove <?= in the future you can fix it in less than a minute, no matter how many thousands of files use it, you just do a project-wide search & replace of <?= for <?php echo . My answer is don't worry and just use it, the benefits outweight greatly the consequences. <?= is not regarded as a short tag anymore, Rasmus Lerdorf himself made that very commit. Commented Jun 8, 2012 at 0:07
  • 36
    @dukeofgaming, where are you getting your data about production environments being configured to use short tags? Disabling them is one of the most commonly suggested configurations that I've heard about, second only to disabling magic quotes. It also would make absolutely zero sense to have a dev environment that's different from production. Commented Jun 8, 2012 at 0:11
  • 5
    Short tags were enabled by default until 5.3 php.net/manual/en/ini.core.php#ini.short-open-tag, most hosting services I know supported it with no problems and this was one of the reasons the Kohana framework used to encourage it. <?= will always be on (stackoverflow.com/a/6064813/156257) and most of the time they used to be on. You can prove me wrong by checking with your host if: they are disabled and using PHP < 5.3 and if they don't allow the setting to be overriden by users or upon special request; if all the previous is false, by all means worry about <?=. Commented Jun 8, 2012 at 1:30
  • 8
    You're not worried that <?= will be removed, and neither am I. Others might be, and if they are, they don't have to use <?=. Some people have irrational fear of using certain language features (like leaving off closing tags in php). Commented Jun 8, 2012 at 18:11
  • 10
    That's precisely my point: there is no need to worry. I'd just put "Are you worried?" --yes--> "Go ahead and use them, there is no need to worry". It also feels like you are implying that leaving off closing tags is a bad practice, which is not. Commented Jun 8, 2012 at 19:14
32

Dusting off my PHP hat

I'd definitely favor the use of <?= $someVar ?> over the more verbose echo (simply personal preference). The only downside AFAIK is for users who are running pre-5.4.0, in which case short_open_tag must be enabled in php.ini.

Now having said that, if your project isn't OS, then it's a moot point. If it is, I'd either document the fact that short_open_tags must be enabled, or use the more portable of the two solutions.

Improve this answer
5
  • 1
    Nitpick: Even though <?= is unaffected by short_open_tag on PHP 5.4, <? still is and if you get a habit of using short form tags, it's quite easy to forget what's supported on what version. Commented Jun 5, 2012 at 18:26
  • 10
    @YannisRizos It's good to distinguish <?= as "I'm outputting a variable now" for template-style usage, and <?php as "I'm running lots of code now". I'd suggest never to use <?, but that both <?= and <?php are fine. Commented Jun 5, 2012 at 19:31
  • 2
    +1 because Rasmus Lerdorf endorses the shorthand <?= tag. I watched one of his talks on the (then soon to be released) PHP 5.4. That is why since PHP 5.4.0 the <?= tag is always available. I have seen a lot of code pre PHP 5.4 that the <?= tag is used in the View of an MVC application but <?php ... ?> is used in the non-view files. Commented Jun 5, 2012 at 20:40
  • @Jason That's not what I'm saying. "Rasmus endorses foo" is not an argument, "Rasmus endorses foo for this and that reason" however is. Commented Jun 6, 2012 at 15:00
  • 2
    @Yannis Rizos "Rasmus endorses foo for this and that reason" however is. Thanks for the tutelage, but my reasoning was since Rasmus Lerdorf endorses it, being the creator of the language and still having influence on PHP's development, changes were made to make the <?= tag always available. This is what I should have added to my original comment "Therefore the practice of using <?= in views will probably become even more widespread." Dang, I'll need to triple check my comments for now on...dots... Commented Jun 6, 2012 at 15:25
21

You should definitely try to avoid short form tags, whether it's <? or <?=.

The main technical reason is portability, you can never be sure that the short form tags will work for every given setup, as they can be turned off, lookup the short_open_tag directive. But you can always be absolutely certain that the long form will work everywhere.

It would save some typing and it would be better for code readability, IMO.

That's also a bad habit. I can't really tell you what you find more readable, but I'm feverishly against using code readability as an excuse to save yourself a couple of keystrokes. If you are concerned about readability, you should go for a template engine, this:

<input name="someVar" value="{someVar}">

is far more readable from both your examples.

Lastly, it's worth noting that short form tags are explicitly discouraged by major PHP projects, for example PEAR and Zend Framework.

Improve this answer
18
  • 14
    +1 for templates. -1 for portability. Its a server side language. Challenges you need to focus on for a server are things like scalability and security. It would be an amazingly bad idea to invest serious time into making sure it would run on multiple platforms ... (just in case!) ... Commented Jun 5, 2012 at 18:55
  • 3
    @Stargazer712 Hm? The only thing you need to do is use the standard <?php and echo instead of <? and <?=, do you count that as serious time? And what happens when you move your project to a server where for some reason short tags are disabled? Commented Jun 5, 2012 at 18:58
  • 13
    @Yannis: those few characters may not seem like much, but IMO they add up to a lot of noise. Commented Jun 5, 2012 at 19:24
  • 9
    I think it should be mentioned that PHP's original purpose was to be a template language. Adding another template engine (more bloat) on top of PHP doesn't float my tuna boat. Just follow good practices (some good tips are here stackoverflow.com/questions/62617/…) when coding PHP mixed with HTML and you're good to go. Commented Jun 5, 2012 at 20:49
  • 2
    @Yannis Rizos Yes it should be mentioned because people new to PHP might think they are obligated to use [whizbang] template engine in their PHP projects without considering using pure PHP instead. Should I only do text processing in Perl, maybe not but I figure that by now Perl is pretty darn good at text processing - likewise with PHP and templating. Commented Jun 6, 2012 at 15:14
21

The PHP-Documentation clearly says that you can use short echo tags safely:

5.4.0 The tag <?= is always available regardless of the short_open_tag ini setting.

Although this is for PHP version 5.4 and greater but everybody should at least use this one. I would prefer them for templating purposes only.

Improve this answer
11

Reasons for using short tags:

  • They are shorter.

Reasons for not using short tags:

  • They introduce one more configuration gotcha - while you do control the server most of the time in a professional context, if you plan to release your code to the general public, short tags may break unrepairably for people who use it on, say, shared hosting.
  • They make it way too easy to casually drop un-sanitized strings into your output. This is scary because it may introduce XSS vulnerabilities. While long tags do nothing directly to prevent this, they do signal to the programmer that maybe what they are doing isn't the right thing, and they should start using a template system that automatically handles HTML-encoding for them right now. Outputting dynamic strings with long tags is painful, which is a good (educative) thing.
Improve this answer
3
  • That's the answer to accept IMO, even tho templates won't make everything XSS safe (user data in a script's src attribute will always be unsafe) and I don't know if template mechanism are aware of the proper echoing context; what if the PHP variable ends up in a script tag content? In a SVG embeded in the HTML? Commented Mar 23, 2019 at 12:53
  • @Xenos clearly that depends on the template system in question, and there is no silver bullet; but most of them do reduce the bug surface, and the number of scenarios where manual diligence (the single most important source of security bugs) is required. "Don't put dynamic content in script tags" is easier to follow (and audit for) than "make sure all dynamic content is HTML-encoded properly everywhere". Commented Apr 4, 2019 at 8:28
  • So your second (not to) point is akin to: "reasons not to use knifes: you can cut yourself?". Because the first one stopped being valid 2 years after you posted this. Commented Mar 27, 2021 at 15:01
11

As of PHP 7.4, the playing field changes a bit:

<? ?> is officially deprecated and will be removed in PHP 8.0.

PHP RFC: Deprecate PHP Short open tags explicitly states that <?= ?> is unaffected. This would indicate (according to me, not the RFC) that its usage is not discouraged.

Improve this answer
1
6

I think that the <?= version is a good/acceptable practice, provided that you only use it for final output of variables and avoid any function-calls or ternary-logic that aren't directly related to the presentation of the data.

It's certainly much better than <? echo($x); ?> everywhere.

Long-term, you may want to look into templating engines such as Smarty.

Improve this answer
1
  • 3
    Smarty was once the template engine, but right now it's an outdated & bloated mess, and you should really steer clear. Commented Jun 5, 2012 at 18:51
-3

To be honest, I think that echoing a result whichever the method is (old or new fashion) is something pretty obsolete while MVC celebrates 33 years already.

I would say that yes, this is a good practice to encapsulate the incoming server (php) data within an XML document and process it in your applicative/client layer, thus, saving you even the idea of using such a tag.

Improve this answer
3
  • 1
    Actually MVC celebrates 33 years, it was first outlined on December 1979 in this paper. Commented Jun 5, 2012 at 19:54
  • yeah, i'm still in the 2000, my mistake :-) Commented Jun 5, 2012 at 19:59
  • 1
    um... Templating... is templating obsolete? Are templating and MVC mutually exclusive? Commented Sep 30, 2015 at 10:25

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.