PHP 4.1.0 Release Announcement PHP 4.1.0 出版公告(1) After a lengthy QA process, PHP 4.1.0 is finally out. Download at http://www.php.net/downloads.php ! PHP 4.1.0 includes several other key improvements: - A new input interface for improved security (read below) 一個新的輸入介面來提高安全性 - Highly improved performance in general 極大提高了效能 - Revolutionary performance and stability improvements under Windows. The multithreaded server modules under Windows (ISAPI, Apache, etc.) perform as much as 30 times faster under load! We want to thank Brett Brewer and his team in Microsoft for working with us to improve PHP for Windows. Windows 下革命性的效能和穩定性。多線程伺服器模組提供了快30倍的效能。 - Versioning support for extensions. Right now its barely being used, but the infrastructure was put in place to support separate version numbers for different extensions. The negative side effect is that loading extensions that were built against old versions of PHP will now result in a crash, instead of in a nice clear message. Make sure you only use extensions built with PHP 4.1.0. 擴充翻譯支援,現在他還很少用到,但是放置了基礎構造來支援某些不同版本號碼的擴充模組。負面影響是他和老版本的擴充模組衝突。你需要確定使用了 php4.1.0的擴充模組。 - Turn-key output compression support 支援 Turn-key 輸出壓縮 - *LOTS* of fixes and new functions 修正了很多地方,增加了許多函數。 As some of you may notice, this version is quite historical, as its the first time in history we actually incremented the middle digit! :) The two key reasons for this unprecedented change were the new input interface, and the broken binary compatibility of modules due to the versioning support. {沒看懂!!呵呵!以後看懂了再翻譯} Following is a description of the new input mechanism. For a full list of changes in PHP 4.1.0, scroll down to the end of this section. 下面是新的輸入機制的描述。完整的更改列表請看後面 ----------------------------------- SECURITY: NEW INPUT MECHANISM 安全:新的輸入機制 First and foremost, its important to stress that regardless of anything you may read in the following lines, PHP 4.1.0 *supports* the old input mechanisms from older versions. Old applications should go on working fine without modification! 首先,也是最重要的,必須強調對下面內容足夠重視是非常重要的。php 4.1.0 支援舊的輸入機制。老的應用程式仍然可以運行,不用修改。 Now that we have that behind us, lets move on :) 下面是內容 For various reasons, PHP setups which rely on register_globals being on (i.e., on form, server and environment variables becoming a part of the global namespace, automatically) are very often exploitable to various degrees. For example, the piece of code: 由於各種原因,PHP需要設定 register_globlas ON(例如在標單,伺服器,環境變數自動成為全域命名空間的一部分),他們經常被不同程度的幹擾。下面是一段代碼: May be exploitable, as remote users can simply pass on authenticated as a form variable, and then even if authenticate_user() returns false, $authenticated will actually be set to true. While this looks like a simple example, in reality, quite a few PHP applications ended up being exploitable by things related to this misfeature. 可以通過表單裡面傳送 authenticated 變數來欺騙,即使 authenticate_user()返回false,$authenticated 仍然被設定為true.這隻是一個非常簡單的例子,實際上,相當多的程式被類似的錯誤特性欺騙 While it is quite possible to write secure code in PHP, we felt that the fact that PHP makes it too easy to write insecure code was bad, and weve decided to attempt a far-reaching change, and deprecate register_globals. Obviously, because the vast majority of the PHP code in the world relies on the existence of this feature, we have no plans to actually remove it from PHP anytime in the foreseeable future, but weve decided to encourage people to shut it off whenever possible. 當然,完全可以書寫安全的PHP代碼,我們覺得事實上,PHP使得書寫不安全的程式碼變得非常容易是非常糟糕的事情。我們決定嘗試一個 far-reaching 改變。反對 register_globals.很顯然,由於多數代碼依賴於這個特徵,我們沒有辦法在將來的某個時刻真正刪除它。但是我們決定鼓勵人們關閉它 To help users build PHP applications with register_globals being off, weve added several new special variables that can be used instead of the old global variables. There are 7 new special arrays: 為了在關閉 register_globals 情況下協助使用者建立 PHP 應用程式,我們增加了一些新的特殊變數來代替老的全域變數使用。他們是7個新的特殊數組: $_GET - contains form variables sent through GET 包含著通過GET發來的變數 $_POST - contains form variables sent through POST 包含著通過POST發送來的變數 $_COOKIE - contains HTTP cookie variables 包含著HTTP cookie 的變數 $_SERVER - contains server variables (e.g., REMOTE_ADDR) 包含著伺服器變數(如 REMOTE_ADDR) $_ENV - contains the environment variables 包含著環境變數 $_REQUEST - a merge of the GET variables, POST variables and Cookie variables. In other words - all the information that is coming from the user, and that from a security point of view, cannot be trusted. 是 GET/POST/Cookie 變數的集合,也就是說,所有的來自使用者和安全表單的資訊。但是從安全形度來看,不能夠信任它們。 $_SESSION - contains HTTP variables registered by the session module 包含著所有session模組註冊的HTTP變數 Now, other than the fact that these variables contain this special information, theyre also special in another way - theyre automatically global in any scope. This means that you can access them anywhere, without having to global them first. For example: 現在,事實上這些變數包含著特殊的資訊,他們在任何環境下同樣是自動的全域變數。也就是說你可以在任何地方存取他們,不需要全域化他們。例如: function example1() { print $_GET["name"]; // works, global $_GET; is not necessary! //不需要聲明 $_GET 是全域變數 } would work fine! We hope that this fact would ease the pain in migrating old code to new code a bit, and were confident its going to make writing new code easier. Another neat trick is that creating new entries in the $_SESSION array will automatically register them as session variables, as if you called session_register(). This trick is limited to the session module only - for example, setting new entries in $_ENV will *not* perform an implicit putenv(). 啟動並執行很好。我們希望這個情況可以使得舊代碼移植能夠容易一些,我們確信它能使書寫新代碼更容易。另外一個竅門是建立新的 $_SESSION 數組入口會自動註冊他們為session b變數,就好像調用 session_register()一樣。這個竅門僅適用於 session 模組。例如,設定新的 $_ENV 入口不會隱含執行 putenv()。 PHP 4.1.0 still defaults to have register_globals set to on. Its a transitional version, and we encourage application authors, especially public ones which are used by a wide audience, to change their applications to work in an environment where register_globals is set to off. Of course, they should take advantage of the new features supplied in PHP 4.1.0 that make this transition much easier. PHP 4.1.0 預設還是設定 register_globals 為On,她是過渡版本,我們程式做著,特別是被廣泛接受的,改變他們的應用程式,使得在 register_globals 為 off 情況下也能工作。當然,他們需要使用 PHP 4.1.0 的新特徵來使得轉換更容易些。 As of the next semi-major version of PHP, new installations of PHP will default to having register_globals set to off. No worries! Existing installations, which already have a php.ini file that has register_globals set to on, will not be affected. Only when you install PHP on a brand new machine (typically, if youre a brand new user), will this affect you, and then too - you can turn it on if you choose to. 在下一個不完全版本力,將會魔人設定 register_globals 為off.不用擔心,已經安裝好的,php.ini 裡面已經設定 register_globals 為on 的,不會受到影響。只有在你安裝php為一個新機器時(一般是一個新使用者)才會影響你,你可以選擇開啟它。 Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names still work, but we encourage users to switch to the new shorter, and auto-global versions. 注意:這些數組中的幾個有老的名字,例如 $HTTP_G
http://www.bkjia.com/PHPjc/532219.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/532219.htmlTechArticlePHP 4.1.0 Release Announcement PHP 4.1.0 出版公告(1) After a lengthy QA process, PHP 4.1.0 is finally out. Download at http://www.php.net/downloads.php ! PHP 4.1.0 includes sev...
