Home Accessibility Courses Diary The Mouth Forum Resources Site Map About Us Contact
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
Security improvements in PHP 4.1.0

January 2007 - this article is now six years old, and the strong advise remains to code with the new $_REQUEST and $_SESSION superglobal arrays. Old code remains around, and the php.ini file is usually still configured on ISP's servers to allow old and new style. But be warned - use the old style and old code at your peril. And watch the old way ("register_globals" as it's called) be turned off at PHP 6.0.0!

[update - PHP has now moved right on to 4.3.9 and 5.0.1, but the issue of global variables described in this article remains live. There's a great deal of older code around and most ISPs have turned register_globals on to avoid compatability issues with old sites]

PHP has come "from nothing" in the last two years. Why? Because it's superbly suited for server side executable use; it's one of the few languages designed for that specific use, and that shows in the superb range of built in functions, and the ease with which server side code can be written. No longer does the programmer require to learn a language and an interfacing scheme (such as CGI) - it's all there in one with PHP.

PHP is also easy to code - some would argue that it's too easy. Create a form, have a user complete that form on his browser, and everything that he's entered magically appears as variables in your PHP.

Fabulous - but there's a potential security risk there. From our very first PHP course, we warned authors that they should initialise all variables that don't come through as form (or cookie, or session) inputs. Why? Simply because an unscrupulous user with appropriate knowledge could maliciously initialise unset PHP variable by modifying a form.

As of the latest release of PHP (4.1.0, December 2001), there's a brand new series of arrays (called $_GET, $_POST, $_COOKIES etc) from which you're encouraged to read your form / cookie / environment inputs. The potential confusion between your own variables and form variables is cleared.

Of course, the vast majority of PHP applications out there use the old mechanism ... which remains available, although "deprecated". For new installations with new code, you're encouraged to turn off register_globals in the configuartion file php.ini, and in time the older mechanism will fade away.

"Stop Press" flash ... PHP 4.1.1 released 26th December 2001. Minor bug fix release.

Side box ... other changes in PHP 4.1.0

- Highly improved performance, especially under Windows
- Support for "versioning" of extensions
- Output compression support
- Lots of new functions

Please note that articles in this section of our web site were current and correct to the best of our ability when published, but by the nature of our business may go out of date quite quickly. The quoting of a price, contract term or any other information in this area of our website is NOT an offer to supply now on those terms - please check back via our main web site

Related Material

Other - books
  [] - ()

resource index - PHP
Solutions centre home page

You'll find shorter technical items at The Horse's Mouth and delegate's questions answered at the Opentalk forum.

At Well House Consultants, we provide training courses on subjects such as Ruby, Lua, Perl, Python, Linux, C, C++, Tcl/Tk, Tomcat, PHP and MySQL. We're asked (and answer) many questions, and answers to those which are of general interest are published in this area of our site.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01225 708225 • FAX: 01225 793803 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/solutions/php-secu ... 4-1-0.html • PAGE BUILT: Wed Mar 28 07:47:11 2012 • BUILD SYSTEM: wizard