While discussing Coding Standards it was not long ago I argued against adding
?> at the end of php files. But miqrogroove pointed to me an interesting aspect why it actually can make sense to have it and an additional return statement at the end of each file: That one (merely the return statement) can prevent an attacker to append payload code to existing PHP files, for example known include files. The countermeasurement is pretty easy, just add a return statement at the end of the file. It will end the include “subroutine”:
/* all the include file's php code */ return; ?>
Well infact, a simple
return; statement can as well without the
?>, so I can stay with my habits 🙂 . Maybe a consideration for the files in the wordpress project? Include filenames and locations are publicly known, so why not?