Slashdot Mirror


Changes In Store For PHP V6

An anonymous reader sends in an IBM DeveloperWorks article detailing the changes coming in PHP V6 — from namespaces, to Web 2.0 built-ins, to a few features that are being removed.

4 of 368 comments (clear)

  1. Re:Is this really news? by chromatic · · Score: 4, Funny

    PHP doesn't have any weird syntax... It's just a really clean, lightweight OO language.... as a language, it ... isn't a kitchen sink like Perl.

    Did you have to shower after writing this? Did you at least burn the keyboard?

  2. Re:Magic Quotes Removed by Just+Some+Guy · · Score: 5, Funny

    So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?

    Of course not! Since no one has been stupid enough to directly insert submitted strings into SQL before sending it to the server for at least 5 years now, this won't affect any modern code in the slightest.

    --
    Dewey, what part of this looks like authorities should be involved?
  3. Re:Is this really news? by chromatic · · Score: 3, Funny

    It's the only way to be sure.

  4. Re:Magic Quotes Removed by 615 · · Score: 3, Funny

    Actually, undoing magic_quotes is quite a bit more involved. Some things to consider:

    • - magic_quotes affects more than just GET, POST and cookie data
    • - GPC data may contain arrays
    • - magic_quotes doesn't process the keys of top-level arrays

    Here's an excerpt from my personal library that addresses these issues and more. It works in PHP 4+ (I forget which minor version). Just give me some credit if you use it!

    // magic_quotes_runtime is _like_ magic_quotes_gpc/sybase, except that it
    // applies to return data (from functions)
    ini_set('magic_quotes_runtime', '0');

    // magic_quotes_gpc/sybase cannot be preempted like magic_quotes_runtime; if
    // either is enabled, the damage is already done
    if (ini_get('magic_quotes_gpc') === '1' || ini_get('magic_quotes_sybase') === '1') {
    /**
    * @author Adam Siler <amsiler@icglp.com>
    * @param mixed $value
    * @param bool $top
    * @return mixed
    */
    function undo_magic_quotes($value, $top = true) {
    // unescape strings
    if (is_string($value)) {
    // stripslashes is magic_quotes_sybase-aware
    return stripslashes($value);
    }
    // recurse into arrays
    elseif (is_array($value)) {
    // as described here: <http://us.php.net/manual/en/security.magicquotes.disabling.php#71817>,
    // magic_quotes_gpc (sybase?) does not escape the keys of top-level
    // arrays

    $unescaped_array = array();

    foreach ($value as $key => $array_value) {
    if (!$top) {
    $key = stripslashes($key);
    }

    $unescaped_array[$key] = undo_magic_quotes($array_value, false);
    }

    return $unescaped_array;
    }
    // return other values unaltered
    else {
    return $value;
    }
    }

    $_GET = undo_magic_quotes($_GET);
    $_POST = undo_magic_quotes($_POST);
    $_COOKIE = undo_magic_quotes($_COOKIE);
    $_REQUEST = undo_magic_quotes($_REQUEST);
    $_ENV = undo_magic_quotes($_ENV);
    // etc.

    // other scripts may check the value of magic_quotes_gpc or
    // magic_quotes_sybase and conclude, incorrectly, that GPC data is escaped.
    // this should fix that
    ini_set('magic_quotes_gpc', '0');
    ini_set('magic_quotes_sybase', '0');
    }