The future of PHP


A few changes in PHP 6:

This post is mainly about what is removed (and will no doubt break countless scripts out there)

  • magic quotes
  • register_globals
  • register_long_arrays
  • safe_mode


// Assuming magic_quotes is on

// Using proper parameterised query method (MySQL)
$statement = $dbh->prepare("INSERT INTO USERS (USERNAME) VALUES ?";

Obviously the get_magic_quotes_gpc() function will no longer be available.


// a security hole because if register_globals is on the value for user_authorised can be set by a user sending
// them in the query string
// i.e
if ($user_authorised){
// show all the data

// Being specifc
function is_authorised{
if (isset($_SESSION['user'])){
return true;
return false;
$user_authorised = is_authorised();


Using deprecated registered arrays:

// Echo the name of the user value given on the query string
echo "Welcome, $HTTP_GET_VARS['username']";

Using $_GET

// Using the supported $_GET array instead
echo "Welcom, $_GET['username']@;

This was originally to ensure that the owner of a file being operated on matches the owner of the script that is executing. It was originally a way to attempt to handle security when operating on a shared server environment (like many ISPs would have) It is outside the scope of this blog to document the numerous functions affected by this change, so consult your documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *