Big news! PHP 4.1.0 has been released! Read the full announcement and check out the changelog.
"As some of you may notice, this version is quite historical, as it's
the first time in history we actually incremented the middle digit! 
The two key reasons for this unprecedented change were the new input
interface, and the broken binary compatibility of modules due to the
versioning support."
Hey, cool: "Added optional second parameter to trim, chop and ltrim. You can now specify which characters to trim (jeroen)" - I could have just used this.
Of course, the biggest change is the "new input interface" they referred to above. In case you're not familiar with PHP, PHP has an ini setting called "register_globals" that makes any data passed to your script through the environment, GET, POST, cookie, or session automatically available as a global variable in your script. This allows for security holes like the one they cite:
<?php
if (authenticate_user()) {
$authenticated = true;
}
?>
While it's been easy to plug these holes, you had to be aware that they exist, and most people didn't write secure PHP code. Actually, most PHP coders seem to be amateur programmers. And Adam's right, inexperienced is a better word.
Anyway, now in version 4.1.0 they've added new global variables to use and deprecated the old "register_globals" behavior. Instead of all variables that come into your script being global, you now have $_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_SESSION, and $_REQUEST. They did it somewhat logically:
1. They provided $_REQUEST. I didn't know ahead of time that this was going to exist, and was worried that I'd have to specify $_GET or $_POST from now on.
2. $_REQUEST doesn't have session data in it. If they had included the session data in it, they would have wound up not improving security at all.
3. If you put a value in $_SESSION, it implicitly calls session_register(). Nice feature!
4. All of those variables are automatically available everywhere, so now we don't have to say 'global $whatever' or '$GLOBALS["whatever"]' anymore to make form variables available to functions.
But I'm very annoyed at the beginning underscore, and that these variables are uppercase. These variables will be used so much that it's going to be a headache to type them. Consequently, PHP has just become somewhat less fun. Worst of all, I now like ASP's method of data aquisition better than PHP's. Request.Form("blah") or Request("blah"). No underscore, no dollarsign, and no all caps! I can even type it all lowercase if I want to if I'm using VBScript as my "active scripting language".
And I missed the day flip on this post. I was trying to get it in for Monday but missed by 35 seconds!
Hey, did anyone notice that the PHP logo at the top left on php.net, has a little snow cap on it? And that there's a little green line under the PHP acronym in the upper left? After inspecting the source, it turns out it's done with the <acronym> tag, which I didn't even remember existed. It's neat to see that it's supported in IE, Opera, and Mozilla, and that the browsers actually do something with it. And it even looks consistent across browsers. Neat.
Tuesday, December 11, 2001
Permalink
Feel free to post a comment below. Please see my comment policy.
Formatting Rules (No HTML):