PHP 4.1.0 Release announcement PHP 4.1.0 published notice (1) After a lengthy QA process, PHP 4.1.0 was finally out. Download at http://www.php.net/downloads.php! PHP 4.1.0 includes several other key improvements:-A new input interface for improved security (read below) an interface to improve security Full-highly improved performance in general greatly improves performance-revolutionary performance and stability improvements under Windows. The multithreaded server modules under Windows (ISAPI, Apache, etc) perform as much as times faster under load! We want to thank Brett Brewer and its team in Microsoft for working with us to improve PHP for Windows. Revolutionary performance and stability under Windows. Multi-threaded server modules provide up to 30 times times faster performance. -Versioning support for extensions. Right-it barely being used, but the infrastructure is put in place-to-support separate version numbers for different Extensions. The negative side effect is that loading extensions, were built against old versions of PHP'll now result in a crash , instead of a nice clear message. Make sure Only use extensions built with PHP 4.1.0. Extended translation support, which is now rarely used, but an extension that lays out the infrastructure to support some different version numbers. The downside is that he and the old version of the Extension module conflict. You need to identify the extension module that uses the php4.1.0. -Turn-key output compression support supports Turn-key export compression-*lots* of fixes and new functions fixes a number of places and adds many functions. As some of notice, this version was quite historical, as its the first time in history we actually incremented the Middle digit! :) The key reasons for this unprecedented change were the new input interface, and the broken binary compatibility of MoD Ules due to the versioning support. {NOT read!! Oh! Later read again translation} Following is a description of the new input mechanism. For a full list of changes in PHP 4.1.0, scroll the end of the This section. The following is a description of the new input mechanism. For a complete list of changes, see the following-----------------------------------security:new input mechanism security: new input mechanism first and foremost, its important To stress this regardless of anything you could read in the following lines, PHP 4.1.0 *supports* the old input mechanisms From older versions. Old applications should go on working Fine without modification! First and foremost, it is important to emphasize that enough attention is given to the following. PHP 4.1.0 supports the old input mechanism. The old application can still run without modification. Now the We have this behind us, lets move on:) Below is the content for various reasons, PHP setups which rely on register_globals being on (i.e., on form, server and Environment Varia Bles becoming a part of the global namespace, automatically) is very often exploitable to various degrees. For example, the piece of code: Due to various reasons, PHP needs to set Register_globlas on (such as in the order, server, environment variables automatically become part of the global namespace), they are often disturbed by varying degrees. Here's a piece of code: May is exploitable, as remote users can simply pass on authenticated as a form variable, and then even if Authenticate_us ER () returns false, $authenticated would actually is set to true. While the this looks-a simple example, in reality, quite a few PHP applications ended up being exploitable by things RelA Ted to this misfeature. The authenticated variable can be passed through the form to deceive, even if Authenticate_user () returns false, $authenticated is still set to true. This is just a very simple example, in fact, quite a few programs are spoofed by similar error characteristics while it's quite possible to write secure code in PHP, we felt the fact That PHP makes it too easy to write insecure code is bad, and Weve decided to attempt a far-reaching change, and Depreca Te register_globals. Obviously, because the vast majority of the PHP code in the world relies on the existence of this feature and we have no plan s to actually remove it from PHP anytime in the foreseeable future, but Weve decided to encourage people to shut it off WH Enever possible. Of course, it's perfectly possible to write safe PHP code, and we think in fact that PHP makes writing unsafe code very easy is a very bad thing. We decided to try a far-reaching change. Against Register_globals. Obviously, because most of the code relies on this feature, we have no way to actually delete it at some point in the future. But we decided to encourage people to turn it off. Help users build PHP applications with register_globals being off, Weve added several new special VARIABL Es that can is used instead of the old global variables. There is 7 new special arrays: In order to help users create PHP applications in case of register_globals off, we have added some new special variables to replace the old global variables. They are 7 new special arrays: $_get-contains form variables sent through get contains variables that are sent by Get $_post-contains form variables sent through The post contains variables sent through post $_cookie-contains HTTP cookie variables contains the HTTP cookie variable $_server-contains SERVER variables (E. G., REMOTE_ADDR) contains server variables (such as REMOTE_ADDR) $_env-contains The environment variables contains environment variables $_request-a merge of the GET variables, POST variables and Cookie variables. In other Words-all the information are coming from the user, and that from a security point of view, cannot be trust Ed. is a collection of Get/post/cookie variables, that is, all the information from the user and the security form. But from a security point of view, they cannot be trusted. $_session-contains HTTP Variables Registered By the session module contains all the session modules registered HTTP variables now, and other than the fact that these variables contain this special Informat Ion, theyre also special in another Way-theyre automatically global in any scope. This means so you can access them anywhere, without have to global them first. For example: Now, in fact, these variables contain special information, and they are also automatic global variables in any environment. That means you can access them from anywhere, without having to make them global. For example: function example1 () {print $_get["name"];//works, global $_get; is not necessary!//does not need to declare $_get is a global variable} would work fine! We hope that this fact would ease the pain of migrating old code to new code a bit, and were confident it going to make W Riting new code easier. Another neat trick is this creating new entries in the $_session array would automatically register them as SESSION variabl ES, as if you called Session_register (). This trick was limited to the session module Only-for example, setting new entries in $_env would *not* perform an Implici T putenv (). It works very well. We hope that this will make it easier to migrate old code, and we are sure it will make it easier to write new code. Another trick is to create a new $_sesSION array entries are automatically registered as session B variables, as if they were called session_register (). This trick is only available for session modules. For example, setting a new $_env entry does not imply the execution of putenv (). PHP 4.1.0 still defaults to has register_globals set to on. Its a transitional version, and we encourage application authors, especially public ones which is used by a wide audience , to the change their applications to work in a environment where register_globals is set to OFF. Of course, they should take advantage of the new features supplied in PHP 4.1.0 that make this transition much easier. PHP 4.1.0 Default or set Register_globals to ON, she is the transition version, our program is done, especially widely accepted, to change their application, so that the register_globals can also work. Of course, they need to use the new features of PHP 4.1.0 to make the conversion easier. As of the next semi-major version of PHP, new installations of PHP would default to have register_globals set to off. No worries! Existing installations, which already had a php.ini file that had register_globals set to on, would not be affected. If you install PHP in a brand new machine (typically, if youre a brand new user), would this AFFECT too-you can turn it on if you choose to. In the next incomplete version force, the register_globals will be set to off. Do not worry, has been installed, php.ini inside has been set register_globals for on, will not be affected. Only if you install PHP as a new machine (usually a new user) will affect you, you can choose to open it. Note:some of these arrays had old names, e.g. $HTTP _get_vars. These names still work, but we encourage users to switch to the new shorter, and auto-global versions. Note: Several of these arrays have old names, such as $HTTP _g
http://www.bkjia.com/PHPjc/532219.html www.bkjia.com true http://www.bkjia.com/PHPjc/532219.html techarticle PHP 4.1.0 Release announcement PHP 4.1.0 published notice (1) After a lengthy QA process, PHP 4.1.0 was finally out. Download at http://www.php.net/downloads.php! PHP 4.1.0 includes SEv ...
