[thelist] PHP_SELF / Contact Form

David Miller david at deadpansincerity.com
Tue Aug 3 02:43:15 CDT 2010

On 2 August 2010 22:44, Ken Robinson <kenrbnsn at rbnsn.com> wrote:

> The reason the short tag is a security risk is that if you move your code
> to a server that has short tags turned off or your host turns them off,
> there is a real risk that your code will be shown.

AFAICT that's less of a security risk with PHP short tags && more of a
security risk with either:
a) Your decision to deploy a site in a production environment without even
cursorily testing it first.
b) Your clearly half baked hosting company changing (for their own esoteric
&& arbitrary reasons) settings in php.ini without giving you clear advance

There are more web hosting companies running PHP than anyone is likely to
have hot dinners. Pick one that has short tags enabled - or better yet one
that gives you access to the php.ini file.

IMHO the gains in readability and developer convenience make short tags well
worth the unlikely-but-still-plausible-I-guess possibility of having to
replace them should you want the code to run with them turned off.

(Even if you did, then surely your
grep/perl/{your-text-munging-solution-of-choice}-fu can likely replace 95%
of them in one pass amirite? Unless you're doing something clever that I
haven't thought of/don't understand, in which case you're probably able to
throw a single use token parser together.)

Love regards etc

David Miller

More information about the thelist mailing list