Closed joanhey closed 4 years ago
In my opinion, removing closing tags is like opening a door to hackers.
By having a closing tag, any extra php code will either produce an error or most likely not be processed at all which, again to me personally, is better than having someone inject a line at the end of a file in hopes that there is no closing tag and that it will get processed.
I know nginx config files differ from a php file in many ways but i still think code structure should be followed as it makes everything clear and adds to justification of the code.
I also think such a pr does not add value to the project and risks confusing more than helping. (unless i clearly dont get the idea behind this and if so, please explain your motivation behind this change)
just my idea, thanks
I dont get the description of this but if its to avoid blanks or such, then maybe the closong tag should be right after the command itself, on the same line as in <?php echo 'Hello Pistachios'; ?>
From a security point, it's exactly the same with or without the closing tags. After php include the file, automatically close it. And I think it is more secure without it.
And it is not for blank lines this PR. It is to avoid extra output if added anything after the closing tag. For example in plain php you can send the headers, after any output before.No probem with this in ngx_php. That closing tag gave many errors in frameworks before. Almost all frameworks recomment not to use the closing tag.
I can only say that from experience (i run several hundred websites, one of which gets over 52 million hits per day) that id rather have closing tags on php files, it helped sevral times. Thanks for the input
Hi @mathieu-aubin
https://stackoverflow.com/questions/3219383/why-do-some-scripts-omit-the-closing-php-tag https://stackoverflow.com/questions/4410704/why-would-one-omit-the-close-tag There are a lot more discussions about that.
Also the php basic sintax say:
If a file contains only PHP code, it is preferable to omit the PHP closing tag at the end of the file.
https://www.php.net/manual/en/language.basic-syntax.phptags.php
Please, if you can send an example, causing a vulnerability for not use the closing tag, will be very helpfull for all the php comunity.
Thank you.
Im sorry i dont have an example as i tend to get rid of malicious stuff i find after i analyze it. But mostly, it was malicious/hacked plugins (i have very little control over what the customers upload..) that would insert bad lines of php (without opening/closing) tags to files. When that happens, if the closing tag is missing then the code that was 'injected' or added to the file was being processed.
Again, its only my opinion and i didnt expect any change of mind. Thanks
to avoid any extra output