Security improvements in PHP 4.1.0
January 2007 - this article is now six years old, and the strong advise remains to code with the new $_REQUEST and $_SESSION superglobal arrays. Old code remains around, and the php.ini file is usually still configured on ISP's servers to allow old and new style. But be warned - use the old style and old code at your peril. And watch the old way ("register_globals" as it's called) be turned off at PHP 6.0.0!
[update - PHP has now moved right on to 4.3.9 and 5.0.1, but the issue of global variables described in this article remains live. There's a great deal of older code around and most ISPs have turned register_globals on to avoid compatability issues with old sites]
PHP has come "from nothing" in the last two years. Why? Because it's superbly suited for server side executable use; it's one of the few languages designed for that specific use, and that shows in the superb range of built in functions, and the ease with which server side code can be written. No longer does the programmer require to learn a language and an interfacing scheme (such as CGI) - it's all there in one with PHP.
PHP is also easy to code - some would argue that it's too easy. Create a form, have a user complete that form on his browser, and everything that he's entered magically appears as variables in your PHP.
Fabulous - but there's a potential security risk there. From our very first PHP course, we warned authors that they should initialise all variables that don't come through as form (or cookie, or session) inputs. Why? Simply because an unscrupulous user with appropriate knowledge could maliciously initialise unset PHP variable by modifying a form.
As of the latest release of PHP (4.1.0, December 2001), there's a brand new series of arrays (called $_GET, $_POST, $_COOKIES etc) from which you're encouraged to read your form / cookie / environment inputs. The potential confusion between your own variables and form variables is cleared.
Of course, the vast majority of PHP applications out there use the old mechanism ... which remains available, although "deprecated". For new installations with new code, you're encouraged to turn off register_globals in the configuartion file php.ini, and in time the older mechanism will fade away. --------------------------------------------------------
"Stop Press" flash ... PHP 4.1.1 released 26th December 2001. Minor bug fix release.
Side box ... other changes in PHP 4.1.0
- Highly improved performance, especially under Windows - Support for "versioning" of extensions - Output compression support - Lots of new functions
Please note that articles in this section of our
web site were current and correct to the best of our ability when published,
but by the nature of our business may go out of date quite quickly. The
quoting of a price, contract term or any other information in this area of
our website is NOT an offer to supply now on those terms - please check
back via our main web site
Related Material
Other - booksresource index - PHP
Solutions centre home page
You'll find shorter technical items at
The Horse's Mouth and
delegate's questions answered at
the
Opentalk forum.
At Well House Consultants, we provide
training courses on
subjects such as Ruby, Lua, Perl, Python, Linux, C, C++,
Tcl/Tk, Tomcat, PHP and MySQL. We're asked (and answer)
many questions, and answers to those which are of general
interest are published in this area of our site.
|