CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Short Open Tag (<?)

PHP PHP 5.0+ Beginner
debt(d3/e3/b3/t7)
d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches the common case' (d3). The detection_hints list phpcs, php-cs-fixer, and rector — all standard PHP toolchain tools that catch short open tags automatically. phpcs with PSR-1 ruleset and php-cs-fixer are commonly run in CI by default in PHP projects, making this effectively caught at the linter level.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix indicates replacing <? with <?php throughout the codebase, which is a pattern-level substitution. Tools like Rector's ShortOpenTagSniff and php-cs-fixer can automate this, but it may touch multiple template/PHP files. Not a single-line patch (e1), but not a deep architectural refactor either — it's a find-and-replace pattern across files within one codebase.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Short open tags are a per-file syntactic choice. The burden is real — any file using <? is a latent compatibility hazard — but the issue is localised to the files that use them and doesn't impose a structural tax on the whole system's architecture. It doesn't shape every downstream decision the way a framework or ORM choice would.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field states directly: 'Short tags work everywhere because my dev machine has them enabled — production servers, Docker images, and shared hosts commonly disable short_open_tag; code that depends on it fails silently or with parse errors.' This contradicts a reasonable developer assumption (it works locally, so it works everywhere). The failure mode described in why_it_matters — PHP source code including credentials served as raw text — makes this a serious trap rather than a minor edge case, scoring t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

<? tag short_open_tag short PHP tag

TL;DR

Using <? instead of <?php — short tags are disabled by default in many PHP configurations and conflict with XML processing instructions.

Explanation

PHP supports three open tags: <?php (always works), <?= (short echo, always works since PHP 5.4), and <? (short open tag, requires short_open_tag=On in php.ini). The <? short tag conflicts with XML processing instructions <?xml and is disabled in many shared hosting environments, Docker images, and production configurations. PSR-1 mandates only <?php and <?= tags. Rector can automatically expand <? to <?php across a codebase.

Common Misconception

Short tags work everywhere because my dev machine has them enabled — production servers, Docker images, and shared hosts commonly disable short_open_tag; code that depends on it fails silently or with parse errors.

Why It Matters

A file with <? short tags silently fails to execute as PHP when short_open_tag is off — the PHP code is served as raw text to the browser, exposing source code including credentials.

Common Mistakes

  • Using <? throughout a legacy codebase that runs fine locally but fails on the production server.
  • <?= is a short echo tag — unlike <?, this is always available since PHP 5.4 and is PSR-1 compliant.
  • Mixing <?php and <? in the same file.
  • Not running Rector's ShortOpenTagSniff to find all occurrences automatically.

Code Examples

✗ Vulnerable 
<? // Short tag — requires short_open_tag=On
$user = getUser($id);
?>
<p>Hello <? echo $user->name; ?></p>

<? if ($user->isAdmin()): ?>
    <p>Admin panel</p>
<? endif; ?>
✓ Fixed 
<?php // Always works — PSR-1 compliant
$user = getUser($id);
?>
<p>Hello <?= htmlspecialchars($user->name) ?></p>

<?php if ($user->isAdmin()): ?>
    <p>Admin panel</p>
<?php endif; ?>
Added 16 Mar 2026
Edited 22 Mar 2026
Views 43

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W 3 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 2 pings W 2 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Scrapy 6 Google 5 Perplexity 3 Unknown AI 3 ChatGPT 3 Ahrefs 3 SEMrush 3 Claude 1 Meta AI 1 PetalBot 1
Also referenced
Removed PHP Function 84 PHP-CS-Fixer vs PHP_CodeSniffer 65 PSR-1: Basic Coding Standard 40 Legacy Date Functions 40
How they use it
crawler 33 crawler_json 2 pre-tracking 1
Related categories
php 13.2k style 2.1k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Never use <? short tags in new code — they conflict with XML and may be disabled (short_open_tag=Off); PSR-1 requires <?php or <?= only; <?= is always available since PHP 5.4 regardless of short_open_tag
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
<? without php after; short tags in template files; <% ASP-style tags legacy; PHP files using short echo tag <? echo instead of <?=
Auto-detectable: ✓ Yes phpcs php-cs-fixer rector
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
✓ schema.org compliant