[nycphp-talk] Short Tags deprecated?

Paul A Houle paul at
Mon Aug 31 10:29:32 EDT 2009

Hans Zaunere wrote:
> Yeah something like this could be handy, certainly.  I typically push/adapt
> an object into the template which is property overloaded.  Then something
> like:
> <?=$Object->FirstName?>
    I'm afraid that this is getting us back to magic_quotes_gpc:  
because now I might want to write


    and then do something with $first_name that isn't writing it into 
HTML.  magic_quotes_gpc was effective protection against a certain 
category of HTML injection faults,  but it made it difficult to write 
entirely correct code that processes the content of strings.  I prefer 
the model of "escape at the time of output" rather than preemptive 
escaping:  particularly these days,  where you might be escaping a 
variable to be a Javascript string literal instead of an HTML code.

    Today people are realizing that HTML/Javascript injection attacks 
are difficult to stop (there are lots of clever ways to inject 
Javascript that you'd never think of),  and some systems are taking 
different approaches.  ASP.NET,  for instance,  has an "application 
firewall" built in that looks for dangerous inputs in form variables and 
that will abort your application if you get fed junk.  Although my first 
impression is that this is "magic_quotes_gpc all over again",  and I've 
definitely seen the system block legitimate input,  Microsoft has done a 
good job of justifying this behavior.

> Outputs correctly escaped (or processed in any other way depending on what
> the overload wants to do) content.  Quite handy and has proved effective.
> It does seem that it'd be handy to have some type of "stdout" processing
> hook that can be overridden, while providing a shorthand for working in
> templates.
    It makes some people feel dirty,  but you can do this with global 
variables,  assuming your template system remembers to set them when you 
get in or out of a template.  My own "php on nails" system has quite a 
few functions that behave differently if serving a web page or run from 
the command line.

More information about the talk mailing list