PHP V6 (developer’s snapshot)
http://www.ibm.com/developerworks/opensource/library/os-php-future/?ca=dgr-lnxw01PHP-Future
In addition to having new features, PHP V6 will not have some other functions and features that have been in previous versions. Most of these things, such as register_globals and safe_mode, are widely considered “broken” in current PHP, as they may expose security risks. In an effort to clean up PHP, the functions and features listed in the next section will be removed, or deprecated, from PHP. Opponents of this removal will most likely cite issues with existing scripts breaking after ISPs or enterprises upgrade to PHP V6, but proponents of this cleanup effort will be happy that the PHP team is sewing up some holes and providing a cleaner, safer implementation.
Features that will be removed from the PHP version include:
-
magic_quotes -
register_globals -
register_long_arrays -
safe_mode
Citing portability, performance, and inconvenience, the PHP documentation discourages the use of magic_quotes. It’s so discouraged that it’s being removed from PHP V6 altogether, so before upgrading to PHP V6, make sure that all your code avoids using magic_quotes. If you’re using magic_quotes to escape strings for database calls, use your database implementation’s parameterized queries, if they’re supported. If not, use your database implementation’s escape function, such as mysql_escape_string for MySQL or pg_escape_string for PostgreSQL. Listing 2 shows an example of magic_quotes use.
Listing 2. Using magic_quotes (discouraged)
<?php // Assuming magic_quotes is on... $sql = "INSERT INTO USERS (USERNAME) VALUES $_GET['username']"; ?> |
After preparing your PHP code for the new versions of PHP, your code should look like that in Listing 3.
Listing 3. Using parameterized queries (recommended)
<?php
// Using the proper parameterized query method for MySQL, as an example
$statement = $dbh->prepare("INSERT INTO USERS (USERNAME) VALUES ?");
$statement->execute(array($_GET['username']));
?>
|
Now that support for magic_quotes will be completely removed, the get_magic_quotes_gpc() function will no longer be available. This may affect some of the older PHP scripts, so before updating, make sure you fix any locations in which this functions exists.
The register_globals configuration key was already defaulted to off in PHP V4.2, which was controversial at the time. When register_globals is turned on, it was easy to use variables that could be injected with values from HTML forms. These variables don’t really require initialization in your scripts, so it’s easy to write scripts with gaping security holes. The register_globals documentation (see Resources) provides much more information about register_globals. See Listing 4 for an example of using register_globals.
Listing 4. Using register_globals (discouraged)
<?php
// A security hole, because if register_globals is on, the value for user_authorized
// can be set by a user sending them on the query string
// (i.e., http://www.example.com/myscript.php?user_authorized=true)
if ($user_authorized) {
// Show them everyone's sensitive data...
}
?>
|
If your PHP code uses global variables, you should update it. If you don’t update your code to get prepared for newer versions of PHP, consider updating it for security reasons. When you’re finished, your code should look like Listing 5.
Listing 5. Being specific instead (recommended)
<?php
function is_authorized() {
if (isset($_SESSION['user'])) {
return true;
} else {
return false;
}
}
$user_authorized = is_authorized();
?>
|
The register_long_arrays setting, when turned on, registers the $HTTP_*_VARS predefined variables. If you’re using the longer variables, update now to use the shorter variables. This setting was introduced in PHP V5 — presumably for backward-compatibility — and the PHP folks recommend turning it off for performance reasons. Listing 6 shows an example of register_long-arrays use.
Listing 6. Using deprecated registered arrays (discouraged)
<?php
// Echo's the name of the user value given on the query string, like
// http://www.example.com/myscript.php?username=ngood
echo "Welcome, $HTTP_GET_VARS['username']!";
?>
|
If your PHP code looks like that shown in Listing 6, update it to look like that in Listing 7. Shut off the register_long_arrays setting if it’s on and test your scripts again.
Listing 7. Using $_GET (recommended)
<?php
// Using the supported $_GET array instead.
echo "Welcome, $_GET['username']!";
?>
|
The safe_mode configuration key, when turned on, ensures that the owner of a file being operated on matches the owner of the script that is executing. It was originally a way to attempt to handle security when operating in a shared server environment, like many ISPs would have. (For a link to a list of the functions affected by this safe_mode change, see Resources.) Your PHP code will be unaffected by this change, but it’s good to be aware of it in case you’re setting up PHP in the future or counting on safe_mode in your scripts.
Microsoft Active Server Pages (ASP)-style tags — the shorter version of the PHP tags — are no longer supported. To make sure this is not an issue for your scripts, verify that you aren’t using the <% or %> tags in your PHP files. Replace them with <?php and ?>.
The PHP team is removing support for both FreeType 1 and GD 1, citing the age and lack of ongoing developments of both libraries as the reason. Newer versions of both of these libraries are available that provide better functionality. For more information about FreeType and GD, see Resources.
The ereg extension, which supports Portable Operating System Interface (POSIX) regular expressions, is being removed from core PHP support. If you are using any of the POSIX regex functions, this change will affect you unless you include the ereg functionality.
Fatal error: Call to undefined function post_comments_feed_link() in /home/iyanski/public_html/devian/wp-content/themes/outdoorsy_fixed/single.php on line 11