A few changes in PHP 6:
This post is mainly about what is removed (and will no doubt break countless scripts out there)
- magic quotes
- register_globals
- register_long_arrays
- safe_mode
magic_quotes
// Assuming magic_quotes is on
$sql = "INSERT INTO USERS (USERNAME) VALUES $_GET['username'];
// Using proper parameterised query method (MySQL)
$statement = $dbh->prepare("INSERT INTO USERS (USERNAME) VALUES ?";
$statement->execute(array($_GET['username']));
Obviously the get_magic_quotes_gpc() function will no longer be available.
register_globals
// a security hole because if register_globals is on the value for user_authorised can be set by a user sending
// them in the query string
// i.e www.example.com/index.php?user_authorised=true
if ($user_authorised){
// show all the data
}
// Being specifc
function is_authorised{
if (isset($_SESSION['user'])){
return true;
}else{
return false;
}
}
$user_authorised = is_authorised();
register_long_arrays
Using deprecated registered arrays:
// Echo the name of the user value given on the query string
// http://www.example.com/index.php?username=notgood
echo "Welcome, $HTTP_GET_VARS['username']";
Using $_GET
// Using the supported $_GET array instead
echo "Welcom, $_GET['username']@;
safe_mode
This was originally to ensure that the owner of a file being operated on matches the owner of the script that is executing. It was originally a way to attempt to handle security when operating on a shared server environment (like many ISPs would have) It is outside the scope of this blog to document the numerous functions affected by this change, so consult your documentation.