← Back to glossary

Short Open Tag (<?)

Q: What is a common misconception about Short Open Tag (<?)?

Short tags work everywhere because my dev machine has them enabled — production servers, Docker images, and shared hosts commonly disable short_open_tag; code that depends on it fails silently or with parse errors.

php PHP 5.0+ Beginner

Also Known As

<? tag short_open_tag short PHP tag

TL;DR

Using <? instead of <?php — short tags are disabled by default in many PHP configurations and conflict with XML processing instructions.

Explanation

PHP supports three open tags: <?php (always works), <?= (short echo, always works since PHP 5.4), and <? (short open tag, requires short_open_tag=On in php.ini). The <? short tag conflicts with XML processing instructions <?xml and is disabled in many shared hosting environments, Docker images, and production configurations. PSR-1 mandates only <?php and <?= tags. Rector can automatically expand <? to <?php across a codebase.

Common Misconception

✗ Short tags work everywhere because my dev machine has them enabled — production servers, Docker images, and shared hosts commonly disable short_open_tag; code that depends on it fails silently or with parse errors.

Why It Matters

A file with <? short tags silently fails to execute as PHP when short_open_tag is off — the PHP code is served as raw text to the browser, exposing source code including credentials.

Common Mistakes

Using <? throughout a legacy codebase that runs fine locally but fails on the production server.
<?= is a short echo tag — unlike <?, this is always available since PHP 5.4 and is PSR-1 compliant.
Mixing <?php and <? in the same file.
Not running Rector's ShortOpenTagSniff to find all occurrences automatically.

Code Examples

✗ Vulnerable

<? // Short tag — requires short_open_tag=On
$user = getUser($id);
?>
<p>Hello <? echo $user->name; ?></p>

<? if ($user->isAdmin()): ?>
    <p>Admin panel</p>
<? endif; ?>

✓ Fixed

<?php // Always works — PSR-1 compliant
$user = getUser($id);
?>
<p>Hello <?= htmlspecialchars($user->name) ?></p>

<?php if ($user->isAdmin()): ?>
    <p>Admin panel</p>
<?php endif; ?>

References

↗ https://www.php-fig.org/psr/psr-1/#23-side-effects

Tags

Added 16 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 6 Unknown AI 3 Perplexity 2 Google 1 ChatGPT 1 Ahrefs 1

Also referenced

PHP-CS-Fixer vs PHP_CodeSniffer 26 PSR-1: Basic Coding Standard 23 Legacy Date Functions 22 Removed PHP Function 18

How they use it

crawler 13 pre-tracking 1

Related categories

php 6.7k style 1.1k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Never use <? short tags in new code — they conflict with XML and may be disabled (short_open_tag=Off); PSR-1 requires <?php or <?= only; <?= is always available since PHP 5.4 regardless of short_open_tag

📦 Applies To

PHP 5.0+ web cli

🔗 Prerequisites

PSR-1: Basic Coding Standard PHP Compilation Pipeline php ini production

🔍 Detection Hints

<? without php after; short tags in template files; <% ASP-style tags legacy; PHP files using short echo tag <? echo instead of <?=

Auto-detectable: ✓ Yes phpcs php-cs-fixer rector

⚠ Related Problems

PSR-1: Basic Coding Standard php ini production PHP Compilation Pipeline

🤖 AI Agent

Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line