Category: php

Today (or yesterday, or maybe tomorrow) marks a big day in my life because it’s the day I became editor of the PHP Manual. The request to take over as editor was not easy because it’s a position that requires work and responsibility… and consistent time. Working on the manual (something I’ve done since 2001) requires no true time commitments or required responsibilities because you submit documentation when you feel like it, solve the bugs you want, work on tasks that smell interesting, and take breaks whenever. In these past years I’ve taken many breaks because breaks are good but today I’m required to do something, required to be responsible for being there. I happily accept this challenge and must confess… I love PHP.

The documentation team is a good group of people with too many worthy names to mention here but [un]fortunately many of us have grown old. And since time has a way of adding new responsibilities, the total time spent writing documentation has decreased for most contributors. We’re looking for fresh warm bodies to join the team so if you like to write words read by millions, and work with fellow PHP friends, then make mom proud and join in on the fun. Don’t be shy! Most of us are normal people too.

Thanks to everyone for supporting this decision, I look forward to helping the team improve the PHP Manual over the next year or more. In my letter to the group you’ll notice that a “one year exit option” snuck into the contract… clever huh? :) And thank you Gabor Hojtsy for doing such a great job as editor because over the years you’ve had a positive impact on my life and your legacy will be continued. Drupal is lucky to have you as a core maintainer.

Now, only a few pages of this required reading left to go and then it’s time to work on that lengthy todo list … it’s go time!

It’s been a long road and exactly five years (35 releases) since the much discussed and highly controversial PHP directive register_globals has been disabled by default in PHP. After sifting through the mailing list archives, the following set of information has been compiled. Feel free to make additions, corrections, and report register_globals memories!

First, a few tidbits

• As of today, April 22, 2007, register_globals has been disabled (by default) for five years. That’s when PHP 4.2.0 was released.
• PHP 3 did not have register_globals because it was simply how PHP behaved. However, some people used $HTTP_*_VARS if track_vars was on (it was on by default, and always on since PHP 4.0.3).
• You cannot set register_globals at runtime, and there have been at least 100 [deleted] user comments within the manual showing hacks how. This FAQ shows how. Don’t do it though.
• The order variables are registered via register_globals is determined by variables_order, a directive that also affects which variables (including superglobals) will exist in PHP. Don’t let the name fool you, this is one powerful PHP directive! In PHP 3, gpc_order was used instead.
• Most “Why PHP is insecure” articles show how to write insecure code with register_globals = on, and eventually register_globals (not poor programming) is blamed as the culprit. It rarely is.
• Strangely the 4.2.0 release announcement does not contain the string “register_globals” but of course it refers to it, and is highlighted in the ChangeLog.
• There’s plenty of code within cvsold.php.net that requires register_globals = on but that’s okay because it’s not a big concern. It however is slowly being updated.

A somewhat brief timeline

Continue reading A brief unofficial history about register_globals in PHP

Yesterday while documenting that PHP 6 deprecates $string{42} in favor of $string[42] I stumbled upon a comment within the PHP Manual XML sources, and here it is in its entirety:

<!-- maybe it's better to leave this out?? 
// this works, but i disencourage its use, since this is NOT 
// involving functions, rather than mere variables, arrays and objects.
$beer = 'Heineken';
echo "I'd like to have another {${ strrev('reeb') }}, hips";
 -->

The thought of a function being called from within a string (without eval()) seems a little odd, doesn’t it? Well, the above code in fact works. Not sure how useful it is but likely someone will find a creative use or two. The internals team generally feels that the behavior isn’t worth documenting as it’s simply an ugly and poor coding style BUT, maybe you’ll see it (the “{${ func() }}” syntax) on a PHP exam somewhere so now you know… :-)

History: This information was added within a patch titled “Added jeroen’s updates” by Damien Seguy apparently for Jeroen van Wolffelaar on the date Thu May 10 18:01:04 2001 UTC.

Update (April 20, 2007): A few days ago Jani demonstrated a simpler example for these variable functions:

$exec = ‘shell_exec’;

$cmd = ‘ls -l’;

echo “This is embedded exec: {$exec($cmd)}”;