The future of PHP

php-logo

A few changes in PHP 6:

This post is mainly about what is removed (and will no doubt break countless scripts out there)

  • magic quotes
  • register_globals
  • register_long_arrays
  • safe_mode

magic_quotes


// Assuming magic_quotes is on
$sql = "INSERT INTO USERS (USERNAME) VALUES $_GET['username'];

// Using proper parameterised query method (MySQL)
$statement = $dbh->prepare("INSERT INTO USERS (USERNAME) VALUES ?";
$statement->execute(array($_GET['username']));

Obviously the get_magic_quotes_gpc() function will no longer be available.

register_globals

// a security hole because if register_globals is on the value for user_authorised can be set by a user sending
// them in the query string
// i.e www.example.com/index.php?user_authorised=true
if ($user_authorised){
// show all the data
}

// Being specifc
function is_authorised{
if (isset($_SESSION['user'])){
return true;
}else{
return false;
}
}
$user_authorised = is_authorised();

register_long_arrays

Using deprecated registered arrays:

// Echo the name of the user value given on the query string
// http://www.example.com/index.php?username=notgood
echo "Welcome, $HTTP_GET_VARS['username']";

Using $_GET

// Using the supported $_GET array instead
echo "Welcom, $_GET['username']@;

safe_mode
This was originally to ensure that the owner of a file being operated on matches the owner of the script that is executing. It was originally a way to attempt to handle security when operating on a shared server environment (like many ISPs would have) It is outside the scope of this blog to document the numerous functions affected by this change, so consult your documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *