Why would one omit the close tag?

by

Sending headers earlier than the normal course may have far reaching consequences. Below are just a few of them that happened to come to my mind at the moment:

  1. While current PHP releases may have output buffering on, the actual production servers you will be deploying your code on are far more important than any development or testing machines. And they do not always tend to follow latest PHP trends immediately.

  2. You may have headaches over inexplicable functionality loss. Say, you are implementing some kind payment gateway, and redirect user to a specific URL after successful confirmation by the payment processor. If some kind of PHP error, even a warning, or an excess line ending happens, the payment may remain unprocessed and the user may still seem unbilled. This is also one of the reasons why needless redirection is evil and if redirection is to be used, it must be used with caution.

  3. You may get “Page loading canceled” type of errors in Internet Explorer, even in the most recent versions. This is because an AJAX response/json include contains something that it shouldn’t contain, because of the excess line endings in some PHP files, just as I’ve encountered a few days ago.

  4. If you have some file downloads in your app, they can break too, because of this. And you may not notice it, even after years, since the specific breaking habit of a download depends on the server, the browser, the type and content of the file (and possibly some other factors I don’t want to bore you with).

  5. Finally, many PHP frameworks including Symfony, Zend and Laravel (there is no mention of this in the coding guidelines but it follows the suit) and the PSR-2 standard (item 2.2) require omission of the closing tag. PHP manual itself (1,2), WordPress, Drupal and many other PHP software I guess, advise to do so. If you simply make a habit of following the standard (and setup PHP-CS-Fixer for your code) you can forget the issue. Otherwise you will always need to keep the issue in your mind.

Bonus: a few gotchas (actually currently one) related to these 2 characters:

  1. Even some well-known libraries may contain excess line endings after ?>. An example is Smarty, even the most recent versions of both 2.* and 3.* branch have this. So, as always, watch for third party code. Bonus in bonus: A regex for deleting needless PHP endings: replace (\s*\?>\s*)$ with empty text in all files that contain PHP code.

More Related Contents:

  1. Can I serve MP3 files with PHP?
  2. How can I prevent SQL injection in PHP?
  3. SQL injection that gets around mysql_real_escape_string()
  4. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  5. PHP Session Fixation / Hijacking
  6. “Keep Me Logged In” – the best approach
  7. How to prevent Browser cache for php site
  8. How to properly add cross-site request forgery (CSRF) token using PHP
  9. How to set HTTP header to UTF-8 using PHP which is valid in W3C validator
  10. How safe are PHP session variables?
  11. Generating a random password in php
  12. Preventing session hijacking
  13. Stop people uploading malicious PHP files via forms
  14. How to create a laravel hashed password
  15. PHP: How To Disable Dangerous Functions
  16. Why am I getting mime-type of .csv file as “application/octet-stream”?
  17. How to prevent multiple logins in PHP website
  18. a better approach than storing mysql password in plain text in config file?
  19. What does mysql_real_escape_string() do that addslashes() doesn’t?
  20. Prevent Back button from showing POST confirmation alert
  21. Generate cryptographically secure random numbers in php
  22. Use of Initialization Vector in openssl_encrypt
  23. Session timeouts in PHP: best practices
  24. Secure User Image Upload Capabilities in PHP
  25. Set httpOnly and secure on PHPSESSID cookie in PHP
  26. Does PHP’s $_REQUEST method have a security problem?
  27. Json: PHP to JavaScript safe or not?
  28. Limiting user login attempts in PHP [duplicate]
  29. What encryption algorithm is best for encrypting cookies?
  30. Content-length and other HTTP headers?

Leave a Comment