Remove obsolete PHP 5 related info from ini.core and related pages

This commit is contained in:
Christoph M. Becker 2021-02-24 14:32:08 +01:00
parent 0eaef37f83
commit 3e08a8aae6
14 changed files with 71 additions and 1006 deletions

View file

@ -36,12 +36,6 @@
<entry>PHP_INI_PERDIR</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.asp-tags">asp_tags</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Removed in PHP 7.0.0.</entry>
</row>
<row>
<entry><link linkend="ini.precision">precision</link></entry>
<entry>"14"</entry>
@ -53,22 +47,9 @@
<entry>"-1"</entry>
<entry>PHP_INI_ALL</entry>
<entry>
Before PHP 5.3.6, the default value was 100.
Before PHP 7.1.0, the default value was 17.
Prior to PHP 7.1.0, the default value was 17.
</entry>
</row>
<row>
<entry><link linkend="ini.y2k-compliance">y2k_compliance</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.allow-call-time-pass-reference">allow_call_time_pass_reference</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.disable-functions">disable_functions</link></entry>
<entry>""</entry>
@ -85,7 +66,7 @@
<entry><link linkend="ini.exit-on-timeout">exit_on_timeout</link></entry>
<entry>""</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.3.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.expose-php">expose_php</link></entry>
@ -97,49 +78,43 @@
<entry><link linkend="ini.hard-timeout">hard_timeout</link></entry>
<entry>"2"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 7.1.0.</entry>
<entry>Available as of PHP 7.1.0.</entry>
</row>
<row>
<entry><link linkend="ini.zend.exception-ignore-args">zend.exception_ignore_args</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 7.4.0</entry>
<entry>Available as of PHP 7.4.0</entry>
</row>
<row>
<entry><link linkend="ini.zend.multibyte">zend.multibyte</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.4.0</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend.script-encoding">zend.script_encoding</link></entry>
<entry>NULL</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.4.0</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend.detect-unicode">zend.detect-unicode</link></entry>
<entry><link linkend="ini.zend.detect-unicode">zend.detect_unicode</link></entry>
<entry>NULL</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.4.0</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend.signal-check">zend.signal_check</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.4.0</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend.assertions">zend.assertions</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_ALL with restrictions</entry>
<entry>Available since PHP 7.0.0.</entry>
</row>
<row>
<entry>detect_unicode</entry>
<entry>"1"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.1.0. Renamed to <link linkend="ini.zend.detect-unicode">zend.detect-unicode</link> from PHP 5.4.0.</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -167,54 +142,13 @@
</para>
<note>
<para>
This directive also affected the shorthand
<userinput>&lt;?=</userinput> before PHP 5.4.0,
which is identical to <userinput>&lt;? echo</userinput>. Use of this
shortcut required <systemitem role="directive">short_open_tag</systemitem>
to be on.
Since PHP 5.4.0, <userinput>&lt;?=</userinput> is always available.
This directive does not affect the shorthand
<userinput>&lt;?=</userinput>, which is always available.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.asp-tags">
<term>
<parameter>asp_tags</parameter>
<type>bool</type>
</term>
<listitem>
<simpara>
Enables the use of ASP-like &lt;% %&gt; tags in addition to
the usual &lt;?php ?&gt; tags. This includes the
variable-value printing shorthand of &lt;%= $value %&gt;. For
more information, see <link
linkend="language.basic-syntax.phpmode">Escaping from HTML</link>.
</simpara>
<para>
<table>
<title>Changelog for <literal>asp_tags</literal></title>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>7.0.0</entry>
<entry>
Removed from PHP.
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.precision">
<term>
<parameter>precision</parameter>
@ -243,79 +177,6 @@
</listitem>
</varlistentry>
<varlistentry xml:id="ini.y2k-compliance">
<term>
<parameter>y2k_compliance</parameter>
<type>bool</type>
</term>
<listitem>
<simpara>
Enforce year 2000 compliance (will cause problems with non-compliant browsers)
</simpara>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.allow-call-time-pass-reference">
<term>
<parameter>allow_call_time_pass_reference</parameter>
<type>bool</type>
</term>
<listitem>
<para>
Whether to warn when arguments are passed by reference at function call time.
The encouraged method of specifying which arguments should be passed by
reference is in the function declaration. You're encouraged to try and turn
this option Off and make sure your scripts work properly with it in order to
ensure they will work with future versions of the language (you will receive
a warning each time you use this feature).
</para>
<para>
Passing arguments by reference at function call time was deprecated for
code-cleanliness reasons. A function can modify its arguments in an
undocumented way if it didn't declare that the argument shall be passed by
reference. To prevent side-effects it's better to specify which
arguments are passed by reference in the function declaration only.
</para>
<para>
See also <link linkend="language.references">References Explained</link>.
</para>
<para>
<table>
<title>Changelog for <literal>allow_call_time_pass_reference</literal></title>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>5.4.0</entry>
<entry>
Removed from PHP.
</entry>
</row>
<row>
<entry>5.3.0</entry>
<entry>
Emits an <constant>E_DEPRECATED</constant> level error.
</entry>
</row>
<row>
<entry>5.0.0</entry>
<entry>
Deprecated, and generates an <constant>E_COMPILE_WARNING</constant> level error.
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.expose-php">
<term>
<parameter>expose_php</parameter>
@ -325,23 +186,6 @@
<para>
Exposes to the world that PHP is installed on the server, which includes the
PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.7).
Prior to PHP 5.5.0 the PHP logo guids are also exposed, thus appending them
to the URL of your PHP script would display the appropriate logo
(e.g., <link xlink:href="&url.php;?=PHPE9568F34-D428-11d2-A769-00AA001ACF42">&url.php;?=PHPE9568F34-D428-11d2-A769-00AA001ACF42</link>).
This also affected the output of <function>phpinfo</function>, as when disabled, the PHP logo
and credits information would not be displayed.
</para>
<note>
<para>
Since PHP 5.5.0 these guids and the <function>php_logo_guid</function> function
have been removed from PHP and the guids are replaced with data URIs instead.
Thus accessing the PHP logo via appending the guid to the URL no longer works.
Similarly, turning <parameter>expose_php</parameter> off will not affect
seeing the PHP logo in <function>phpinfo</function>.
</para>
</note>
<para>
See also <function>php_logo_guid</function> and <function>phpcredits</function>.
</para>
</listitem>
</varlistentry>
@ -537,7 +381,7 @@
<entry><link linkend="ini.memory-limit">memory_limit</link></entry>
<entry>"128M"</entry>
<entry>PHP_INI_ALL</entry>
<entry>"8M" before PHP 5.2.0, "16M" in PHP 5.2.0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -560,14 +404,6 @@
scripts for eating up all available memory on a server. Note that
to have no memory limit, set this directive to <literal>-1</literal>.
</para>
<para>
Prior to PHP 5.2.1, in order to use this directive it had to
be enabled at compile time by using
<option role="configure">--enable-memory-limit</option> in the
configure line. This compile-time flag was also required to define
the functions <function>memory_get_usage</function> and
<function>memory_get_peak_usage</function> prior to 5.2.1.
</para>
&ini.shorthandbytes;
@ -599,13 +435,13 @@
<entry><link linkend="ini.realpath-cache-size">realpath_cache_size</link></entry>
<entry>"4M"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.1.0. Prior to PHP 7.0.16 and 7.1.2, the default was <literal>"16K"</literal></entry>
<entry>Prior to PHP 7.0.16 and 7.1.2, the default was <literal>"16K"</literal></entry>
</row>
<row>
<entry><link linkend="ini.realpath-cache-ttl">realpath_cache_ttl</link></entry>
<entry>"120"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.1.0.</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -691,25 +527,19 @@
<entry><link linkend="ini.variables-order">variables_order</link></entry>
<entry>"EGPCS"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>PHP_INI_ALL in PHP &lt;= 5.0.5.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.request-order">request_order</link></entry>
<entry>""</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Available since PHP 5.3.0</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.auto-globals-jit">auto_globals_jit</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Available since PHP 5.0.0.</entry>
</row>
<row>
<entry><link linkend="ini.register-globals">register_globals</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Removed in PHP 5.4.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.register-argc-argv">register_argc_argv</link></entry>
@ -717,17 +547,11 @@
<entry>PHP_INI_PERDIR</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.register-long-arrays">register_long_arrays</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Deprecated in PHP 5.3.0. Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.enable-post-data-reading">enable_post_data_reading</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Available since PHP 5.4.0</entry>
<entry>Available as of PHP 5.4.0</entry>
</row>
<row>
<entry><link linkend="ini.post-max-size">post_max_size</link></entry>
@ -757,13 +581,25 @@
<entry><link linkend="ini.default-charset">default_charset</link></entry>
<entry>"UTF-8"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Defaults to "UTF-8" since PHP &gt;= 5.6.0; empty for PHP &lt; 5.6.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Removed in PHP 7.0.0.</entry>
<entry><link linkend="ini.input-encoding">input_encoding</link></entry>
<entry>""</entry>
<entry>PHP_INI_ALL</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.output-encoding">output_encoding</link></entry>
<entry>""</entry>
<entry>PHP_INI_ALL</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.internal-encoding">internal_encoding</link></entry>
<entry>""</entry>
<entry>PHP_INI_ALL</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -821,21 +657,6 @@
<varname>$_COOKIE</varname>. Setting to "" means no
&link.superglobals; will be set.
</para>
<para>
If the deprecated
<link linkend="ini.register-globals">register_globals</link>
directive is on, then variables_order also
configures the order the <literal>ENV</literal>,
<literal>GET</literal>, <literal>POST</literal>,
<literal>COOKIE</literal> and <literal>SERVER</literal> variables
are populated in global scope. So for example if variables_order
is set to <literal>"EGPCS"</literal>, register_globals is enabled,
and both <varname>$_GET['action']</varname> and
<varname>$_POST['action']</varname> are set, then
<varname>$action</varname> will contain the value of
<varname>$_POST['action']</varname> as <literal>P</literal> comes
after <literal>G</literal> in our example directive value.
</para>
<warning>
<para>
In both the CGI and FastCGI SAPIs,
@ -890,15 +711,6 @@
variables are not used within a script, having this directive on will
result in a performance gain.
</para>
<para>
The PHP directives
<link linkend="ini.register-globals">register_globals</link>,
<link linkend="ini.register-long-arrays">register_long_arrays</link>,
and <link linkend="ini.register-argc-argv">register_argc_argv</link>
must be disabled for this directive to have any affect. Since PHP
5.1.3 it is not necessary to have <link
linkend="ini.register-argc-argv">register_argc_argv</link> disabled.
</para>
<warning>
<para>
Usage of SERVER, REQUEST, and ENV variables is checked during the compile time
@ -910,43 +722,6 @@
</listitem>
</varlistentry>
<varlistentry xml:id="ini.register-globals">
<term>
<parameter>register_globals</parameter>
<type>bool</type>
</term>
<listitem>
<para>
Whether or not to register the EGPCS (Environment, GET,
POST, Cookie, Server) variables as global variables.
</para>
<para>
As of <link xlink:href="&url.php.release4.2.0;">PHP 4.2.0</link>,
this directive defaults to <emphasis>off</emphasis>.
</para>
<para>
Please read the security chapter on
<link linkend="security.globals">Using register_globals</link>
for related information.
</para>
<para>
Please note that <systemitem role="directive">register_globals</systemitem>
cannot be set at runtime (<function>ini_set</function>). Although, you can
use &htaccess; if your host allows it as described
above. An example &htaccess; entry:
<userinput>php_flag register_globals off</userinput>.
</para>
<note>
<para>
<systemitem role="directive">register_globals</systemitem> is affected
by the <link linkend="ini.variables-order">variables_order</link>
directive.
</para>
</note>
&warn.deprecated.feature-5-3-0.removed-5-4-0;
</listitem>
</varlistentry>
<varlistentry xml:id="ini.register-argc-argv">
<term>
<parameter>register_argc_argv</parameter>
@ -963,29 +738,6 @@
</listitem>
</varlistentry>
<varlistentry xml:id="ini.register-long-arrays">
<term>
<parameter>register_long_arrays</parameter>
<type>bool</type>
</term>
<listitem>
<simpara>
Tells PHP whether or not to register the deprecated long
<varname>$HTTP_*_VARS</varname> type
<link linkend="language.variables.predefined">predefined
variables</link>. When On (default), long predefined PHP
variables like <varname>$HTTP_GET_VARS</varname> will be defined.
If you're not using them, it's recommended to turn them off,
for performance reasons. Instead, use the superglobal arrays,
like <varname>$_GET</varname>.
</simpara>
<simpara>
This directive became available in PHP 5.0.0.
</simpara>
&warn.deprecated.feature-5-3-0.removed-5-4-0;
</listitem>
</varlistentry>
<varlistentry xml:id="ini.enable-post-data-reading">
<term>
<parameter>enable_post_data_reading</parameter>
@ -1137,7 +889,7 @@
</term>
<listitem>
<para>
In PHP 5.6 onwards, "UTF-8" is the default value and its value is used
"UTF-8" is the default value and its value is used
as the default character encoding for
<function>htmlentities</function>,
<function>html_entity_decode</function> and
@ -1175,7 +927,7 @@
</term>
<listitem>
<para>
Available from PHP 5.6.0. This setting is used for multibyte modules
This setting is used for multibyte modules
such as mbstring and iconv. Default is empty.
</para>
</listitem>
@ -1188,7 +940,7 @@
</term>
<listitem>
<para>
Available from PHP 5.6.0. This setting is used for multibyte modules
This setting is used for multibyte modules
such as mbstring and iconv. Default is empty.
</para>
</listitem>
@ -1201,42 +953,13 @@
</term>
<listitem>
<para>
Available from PHP 5.6.0. This setting is used for multibyte modules
This setting is used for multibyte modules
such as mbstring and iconv. Default is empty. If empty,
<link linkend="ini.default-charset">default_charset</link> is used.
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.always-populate-raw-post-data">
<term>
<parameter>always_populate_raw_post_data</parameter>
<type>mixed</type>
</term>
<listitem>
&warn.deprecated.feature-5-6-0.removed-7-0-0;
<para>
If set to &true;, PHP will always populate the
<varname>$HTTP_RAW_POST_DATA</varname> containing the raw POST data.
Otherwise, the variable is populated only when the MIME type of the
data is unrecognised.
</para>
<para>
The preferred method for accessing raw POST data is
<link linkend="wrappers.php">php://input</link>, and
<varname>$HTTP_RAW_POST_DATA</varname> is deprecated in PHP 5.6.0
onwards. Setting <parameter>always_populate_raw_post_data</parameter>
to <literal>-1</literal> will opt into the new behaviour that will be
implemented in a future version of PHP, in which
<varname>$HTTP_RAW_POST_DATA</varname> is never defined.
</para>
<para>
Regardless of the setting, <varname>$HTTP_RAW_POST_DATA</varname> is
not available with <literal>enctype="multipart/form-data"</literal>.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
@ -1272,7 +995,7 @@
<entry><link linkend="ini.open-basedir">open_basedir</link></entry>
<entry>NULL</entry>
<entry>PHP_INI_ALL</entry>
<entry>PHP_INI_SYSTEM in PHP &lt; 5.3.0</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.doc-root">doc_root</link></entry>
@ -1290,13 +1013,13 @@
<entry><link linkend="ini.user-ini.cache-ttl">user_ini.cache_ttl</link></entry>
<entry>"300"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.3.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.user-ini.filename">user_ini.filename</link></entry>
<entry>".user.ini"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.3.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.extension-dir">extension_dir</link></entry>
@ -1316,59 +1039,41 @@
<entry>&php.ini; only</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend-extension-debug">zend_extension_debug</link></entry>
<entry>NULL</entry>
<entry>&php.ini; only</entry>
<entry>Available before PHP 5.3.0.</entry>
</row>
<row>
<entry><link linkend="ini.zend-extension-debug-ts">zend_extension_debug_ts</link></entry>
<entry>NULL</entry>
<entry>&php.ini; only</entry>
<entry>Available before PHP 5.3.0.</entry>
</row>
<row>
<entry><link linkend="ini.zend-extension-ts">zend_extension_ts</link></entry>
<entry>NULL</entry>
<entry>&php.ini; only</entry>
<entry>Available before PHP 5.3.0.</entry>
</row>
<row>
<entry><link linkend="ini.cgi.check-shebang-line">cgi.check_shebang_line</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.2.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.cgi.discard-path">cgi.discard_path</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.3.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.cgi.fix-pathinfo">cgi.fix_pathinfo</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>PHP_INI_ALL prior to PHP 5.2.1.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.cgi.force-redirect">cgi.force_redirect</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>PHP_INI_ALL prior to PHP 5.2.1.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.cgi.nph">cgi.nph</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.3.0.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.cgi.redirect-status-env">cgi.redirect_status_env</link></entry>
<entry>NULL</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>PHP_INI_ALL prior to PHP 5.2.1.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.cgi.rfc2616-headers">cgi.rfc2616_headers</link></entry>
@ -1380,13 +1085,13 @@
<entry><link linkend="ini.fastcgi.impersonate">fastcgi.impersonate</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>PHP_INI_ALL prior to PHP 5.2.1.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.fastcgi.logging">fastcgi.logging</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>PHP_INI_ALL prior to PHP 5.2.1.</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -1521,19 +1226,14 @@ include_path = ".:${USER}/pear/php"
</para>
<para>
The restriction specified with <option>open_basedir</option> is a
directory name since PHP 5.2.16 and 5.3.4. Previous versions used it
as a prefix. This means that "<literal>open_basedir
= /dir/incl</literal>" also allowed access to "<literal>/dir/include</literal>" and
"<literal>/dir/incls</literal>" if they exist. When you want to restrict access
to only the specified directory, end with a slash. For example:
<literal>open_basedir = /dir/incl/</literal>
directory name, not a prefix.
</para>
<para>
The default is to allow all files to be opened.
</para>
<note>
<para>
As of PHP 5.3.0 open_basedir can be tightened at run-time. This means
open_basedir can be tightened at run-time. This means
that if open_basedir is set to <literal>/www/</literal> in &php.ini;
a script can tighten the configuration to
<literal>/www/tmp/</literal> at run-time with
@ -1644,46 +1344,6 @@ include_path = ".:${USER}/pear/php"
</listitem>
</varlistentry>
<varlistentry xml:id="ini.zend-extension-debug">
<term>
<parameter>zend_extension_debug</parameter>
<type>string</type>
</term>
<listitem>
<para>
Variant of <link linkend="ini.zend-extension">zend_extension</link>
for extensions compiled with debug info prior to PHP 5.3.0.
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.zend-extension-debug-ts">
<term>
<parameter>zend_extension_debug_ts</parameter>
<type>string</type>
</term>
<listitem>
<para>
Variant of <link linkend="ini.zend-extension">zend_extension</link>
for extensions compiled with debug info and thread safety prior to PHP
5.3.0.
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.zend-extension-ts">
<term>
<parameter>zend_extension_ts</parameter>
<type>string</type>
</term>
<listitem>
<para>
Variant of <link linkend="ini.zend-extension">zend_extension</link>
for extensions compiled with thread safety prior to PHP 5.3.0.
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="ini.cgi.check-shebang-line">
<term>
<parameter>cgi.check_shebang_line</parameter>
@ -1881,13 +1541,13 @@ include_path = ".:${USER}/pear/php"
<entry><link linkend="ini.max-input-nesting-level">max_input_nesting_level</link></entry>
<entry>64</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Available since PHP 5.3.9.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.max-input-vars">max_input_vars</link></entry>
<entry>1000</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Available since PHP 5.3.9.</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.upload-max-filesize">upload_max_filesize</link></entry>
@ -1899,7 +1559,7 @@ include_path = ".:${USER}/pear/php"
<entry><link linkend="ini.max-file-uploads">max_file_uploads</link></entry>
<entry>20</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.2.12.</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -1998,7 +1658,7 @@ include_path = ".:${USER}/pear/php"
<entry><link linkend="ini.sql.safe-mode">sql.safe_mode</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_SYSTEM</entry>
<entry>Removed in PHP 7.2.0</entry>
<entry>Removed as of PHP 7.2.0</entry>
</row>
</tbody>
</tgroup>
@ -2051,7 +1711,7 @@ include_path = ".:${USER}/pear/php"
<entry><link linkend="ini.windows-show-crt-warning">windows.show_crt_warning</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.4.0.</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -2069,8 +1729,7 @@ include_path = ".:${USER}/pear/php"
</term>
<listitem>
<para>
This directive shows the Windows CRT warnings when enabled. These
warnings were displayed by default until PHP 5.4.0.
This directive shows the Windows CRT warnings when enabled.
</para>
</listitem>
</varlistentry>

View file

@ -24,12 +24,6 @@
</row>
</thead>
<tbody>
<row>
<entry><link linkend="ini.allow-call-time-pass-reference">allow_call_time_pass_reference</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.allow-url-fopen">allow_url_fopen</link></entry>
<entry>"1"</entry>
@ -42,12 +36,6 @@
<entry>PHP_INI_SYSTEM</entry>
<entry>Available since PHP 5.2.0. Deprecated as of PHP 7.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.arg-separator.input">arg_separator.input</link></entry>
<entry>"&amp;"</entry>
@ -60,12 +48,6 @@
<entry>PHP_INI_ALL</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.asp-tags">asp_tags</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Removed in PHP 7.0.0.</entry>
</row>
<row>
<entry><link linkend="ini.assert.active">assert.active</link></entry>
<entry>"1"</entry>
@ -1871,18 +1853,6 @@
<entry>PHP_INI_PERDIR</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.register-globals">register_globals</link></entry>
<entry>"0"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Deprecated in PHP 5.3.0. Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.register-long-arrays">register_long_arrays</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_PERDIR</entry>
<entry>Deprecated in PHP 5.3.0. Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry><link linkend="ini.report-memleaks">report_memleaks</link></entry>
<entry>"1"</entry>
@ -2249,12 +2219,6 @@
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 5.5.0.</entry>
</row>
<row>
<entry><link linkend="ini.y2k-compliance">y2k_compliance</link></entry>
<entry>"1"</entry>
<entry>PHP_INI_ALL</entry>
<entry>Removed in PHP 5.4.0.</entry>
</row>
<row>
<entry>yami.response.timeout</entry>
<entry>"5"</entry>
@ -2315,24 +2279,6 @@
<entry>&php.ini; only</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend-extension-debug">zend_extension_debug</link></entry>
<entry>NULL</entry>
<entry>&php.ini; only</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend-extension-debug-ts">zend_extension_debug_ts</link></entry>
<entry>NULL</entry>
<entry>&php.ini; only</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zend-extension-ts">zend_extension_ts</link></entry>
<entry>NULL</entry>
<entry>&php.ini; only</entry>
<entry></entry>
</row>
<row>
<entry><link linkend="ini.zlib.output-compression">zlib.output_compression</link></entry>
<entry>"0"</entry>

View file

@ -45,10 +45,10 @@ B
</sect2>
<sect2 xml:id="migration56.deprecated.raw-post-data">
<title><varname>$HTTP_RAW_POST_DATA</varname> and <link linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link></title>
<title><varname>$HTTP_RAW_POST_DATA</varname> and <literal>always_populate_raw_post_data</literal></title>
<para>
<link linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link>
<literal>always_populate_raw_post_data</literal>
will now generate an <constant>E_DEPRECATED</constant> error when
<varname>$HTTP_RAW_POST_DATA</varname> is populated.
New code should use
@ -57,7 +57,7 @@ B
in a future release. You can opt in for the new behaviour (in which
<varname>$HTTP_RAW_POST_DATA</varname> is never defined hence no
<constant>E_DEPRECATED</constant> error will be generated) by setting
<link linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link>
<literal>always_populate_raw_post_data</literal>
to <literal>-1</literal>.
</para>
</sect2>

View file

@ -15,12 +15,12 @@
<itemizedlist>
<listitem>
<simpara>
<link linkend="ini.always-populate-raw-post-data"><parameter>always_populate_raw_post_data</parameter></link>
<parameter>always_populate_raw_post_data</parameter>
</simpara>
</listitem>
<listitem>
<simpara>
<link linkend="ini.asp-tags"><parameter>asp_tags</parameter></link>
<parameter>asp_tags</parameter>
</simpara>
</listitem>
</itemizedlist>

View file

@ -483,7 +483,7 @@ Hi Joe. You are 22 years old.
External variables are no longer registered in the global scope by
default. In other words, as of PHP
<link xlink:href="&url.php.release4.2.0;">4.2.0</link> the PHP directive
<link linkend="ini.register-globals">register_globals</link> is
<literal>register_globals</literal> is
<emphasis>off</emphasis> by default in &php.ini;. The preferred
method of accessing these values is via the superglobal arrays mentioned
above. Older scripts, books, and tutorials may rely on this

View file

@ -75,125 +75,6 @@
</para>
</answer>
</qandaentry>
<qandaentry xml:id="faq.misc.arguments.references">
<question>
<para>
What does &amp; beside argument mean in function declaration of e.g.
<function>asort</function>?
</para>
</question>
<answer>
<para>
It means that the argument is
<link linkend="language.references.pass">passed by reference</link> and
the function will likely modify it corresponding to the documentation. You
can pass only variables this way and you don't need to pass them with
&amp; in function call (it's even
<link linkend="ini.allow-call-time-pass-reference">deprecated</link>).
</para>
</answer>
</qandaentry>
<qandaentry xml:id="faq.misc.registerglobals">
<question>
<para>
How do I deal with <literal>register_globals</literal>?
</para>
</question>
<answer>
<para>
For information about the security implications of
<literal>register_globals</literal>, read the security chapter on
<link linkend="security.globals">Using register_globals</link>.
</para>
<para>
It's preferred to use
<link linkend="language.variables.superglobals">superglobals</link>,
rather than relying upon <literal>register_globals</literal> being on.
</para>
<para>
If you are on a shared host with <literal>register_globals</literal> turned
off and need to use some legacy applications, which require this option
to be turned on, or you are on some hosting server, where this feature
is turned on, but you would like to eliminate security risks, you might
need to emulate the opposite setting with PHP. It is always a good idea to
first ask if it would be possible to change the option somehow in PHP's
configuration, but if it is not possible, then you can use these
compatibility snippets.
</para>
<para>
<example>
<title>Emulating Register Globals</title>
<para>
This will emulate register_globals On. If you altered your
<link linkend="ini.variables-order">variables_order</link> directive,
consider changing the <varname>$superglobals</varname> accordingly.
</para>
<programlisting role="php">
<![CDATA[
<?php
// Emulate register_globals on
if (!ini_get('register_globals')) {
$superglobals = array($_SERVER, $_ENV,
$_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach ($superglobals as $superglobal) {
extract($superglobal, EXTR_SKIP);
}
}
?>
]]>
</programlisting>
<para>
This will emulate register_globals Off. Keep in mind, that this code
should be called at the very beginning of your script, or after
<function>session_start</function> if you use it to start your session.
</para>
<programlisting role="php">
<![CDATA[
<?php
// Emulate register_globals off
function unregister_GLOBALS()
{
if (!ini_get('register_globals')) {
return;
}
// Might want to change this perhaps to a nicer error
if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
die('GLOBALS overwrite attempt detected');
}
// Variables that shouldn't be unset
$noUnset = array('GLOBALS', '_GET',
'_POST', '_COOKIE',
'_REQUEST', '_SERVER',
'_ENV', '_FILES');
$input = array_merge($_GET, $_POST,
$_COOKIE, $_SERVER,
$_ENV, $_FILES,
isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
foreach ($input as $k => $v) {
if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {
unset($GLOBALS[$k]);
}
}
}
unregister_GLOBALS();
?>
]]>
</programlisting>
</example>
</para>
</answer>
</qandaentry>
</qandaset>
</chapter>

View file

@ -100,68 +100,6 @@ if (empty($empty)) {
</answer>
</qandaentry>
<qandaentry xml:id="faq.register-globals">
<question>
<para>
How does the PHP directive register_globals affect me?
</para>
</question>
<answer>
&warn.deprecated.feature-5-3-0.removed-5-4-0;
<para>
First, an explanation about what this ini setting does. Let's say the
following URL is used:
<literal>http://example.com/foo.php?animal=cat</literal>
and in <filename>foo.php</filename> we might have the following
PHP code:
</para>
<para>
<programlisting role="php">
<![CDATA[
<?php
// Using $_GET here is preferred
echo $_GET['animal'];
// For $animal to exist, register_globals must be on
// DO NOT DO THIS
echo $animal;
// This applies to all variables, so $_SERVER too
echo $_SERVER['PHP_SELF'];
// Again, for $PHP_SELF to exist, register_globals must be on
// DO NOT DO THIS
echo $PHP_SELF;
?>
]]>
</programlisting>
</para>
<para>
The code above demonstrates how register_globals creates a lot of
variables. For years this type of coding has been frowned upon, and for
years it's been disabled by default. So although most web hosts disable
register_globals, there are still outdated articles, tutorials, and books
that require it to be on. Plan accordingly.
</para>
<para>
See also the following resources for additional information:
<simplelist>
<member>The <link linkend="ini.register-globals">register_globals</link> directive</member>
<member>The <link linkend="security.globals">security chapter about register globals</link></member>
<member><link linkend="language.variables.external">Handling external variables</link></member>
<member>Use <link linkend="language.variables.superglobals">superglobals</link> instead</member>
</simplelist>
</para>
<note>
<para>
In the example above, we used an <acronym>URL</acronym> that contained
a QUERY_STRING. Passing information like this is done through a GET HTTP
Request, so this is why the superglobal <varname>$_GET</varname> was used.
</para>
</note>
</answer>
</qandaentry>
<qandaentry xml:id="faq.using.wrong-order">
<question>
<para>
@ -397,25 +335,9 @@ foreach ($headers as $name => $content) {
</question>
<answer>
<para>
It's important to realize that the PHP directive <link
linkend="ini.register-globals">register_globals</link> also affects
server and environment variables. When register_globals = off (the
default is off since PHP 4.2.0), <varname>$DOCUMENT_ROOT</varname>
will not exist. Instead, use <varname>$_SERVER['DOCUMENT_ROOT']
</varname>. If register_globals = on then the variables
<varname>$DOCUMENT_ROOT</varname> and
<varname>$GLOBALS['DOCUMENT_ROOT']</varname> will also exist.
Use <varname>$_SERVER['DOCUMENT_ROOT']</varname> and
<varname>$_SERVER['HTTP_REFERER']</varname> instead.
</para>
<para>
If you're sure register_globals = on and wonder why
<varname>$DOCUMENT_ROOT</varname> isn't available inside functions,
it's because these are like any other variables and would
require <literal>global $DOCUMENT_ROOT</literal> inside the
function. See also the manual page on
<link linkend="language.variables.scope">variable scope</link>. It's
preferred to code with register_globals = off.
</para>
</answer>
</qandaentry>

View file

@ -24,13 +24,6 @@
cookie, just add <literal>[]</literal> to the cookie name.
</para>
<para>
On older PHP systems (5.3 or earlier),
<link linkend="ini.register-globals">register_globals</link> may be enabled,
which may cause undesirable and insecure operation. If this is enabled, cookies will
be registered as global variables.
</para>
<para>
For more details, including notes on browser bugs, see the
<function>setcookie</function> and <function>setrawcookie</function>

View file

@ -435,10 +435,6 @@ foreach ($_FILES["pictures"]["error"] as $key => $error) {
<varname>$_FILES['userfile']['name']</varname>, and
<varname>$_FILES['userfile']['size']</varname> will be
initialized.
When
<link linkend="ini.register-globals">register_globals</link> is on, globals for uploaded
files are also initialized. Each of these will be a numerically
indexed array of the appropriate values for the submitted files.
</simpara>
<simpara>
For instance, assume that the filenames

View file

@ -101,7 +101,7 @@ to seed the random number generator with <function>srand</function> or
<!ENTITY note.registerglobals '<note xmlns="http://docbook.org/ns/docbook"><title>register_globals: important
note</title><para>As of PHP 4.2.0, the default value for the PHP directive
<link linkend="ini.register-globals">register_globals</link> is <emphasis>
<literal>register_globals</literal> is <emphasis>
off</emphasis>. The PHP community discourages developers from relying on this directive, and encourages the use
of other means, such as the &link.superglobals;.</para></note>'>
@ -607,7 +607,7 @@ use.</simpara></note>'>
<!ENTITY avail.register-long-arrays 'As of PHP 5.0.0, the long PHP
<link xmlns="http://docbook.org/ns/docbook" linkend="language.variables.predefined">predefined variable</link>
arrays may be disabled with the
<link xmlns="http://docbook.org/ns/docbook" linkend="ini.register-long-arrays">register_long_arrays</link>
<literal>register_long_arrays</literal>
directive.'>
<!ENTITY ini.shorthandbytes '<simpara xmlns="http://docbook.org/ns/docbook">When an <type>int</type> is used, the

View file

@ -46,8 +46,8 @@
preferable to use <filename>php://input</filename> instead of <varname>$HTTP_RAW_POST_DATA</varname> as it does not depend
on special &php.ini; directives. Moreover, for those cases where
<varname>$HTTP_RAW_POST_DATA</varname> is not populated by default, it is a
potentially less memory intensive alternative to activating <link
linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link>.
potentially less memory intensive alternative to activating
<literal>always_populate_raw_post_data</literal>.
<filename>php://input</filename> is not available with
<literal>enctype="multipart/form-data"</literal>.
</simpara>

View file

@ -1,163 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.session-register">
<refnamediv>
<refname>session_register</refname>
<refpurpose>Register one or more global variables with the current session</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type>bool</type><methodname>session_register</methodname>
<methodparam><type>mixed</type><parameter>name</parameter></methodparam>
<methodparam rep="repeat"><type>mixed</type><parameter>names</parameter></methodparam>
</methodsynopsis>
<para>
<function>session_register</function> accepts a variable number of
arguments, any of which can be either a string holding the name of a
variable or an array consisting of variable names or other arrays. For
each name, <function>session_register</function> registers the global
variable with that name in the current session.
</para>
<para>
You can also create a session variable by simply setting the
appropriate member of the <varname>$_SESSION</varname> array.
<informalexample>
<programlisting role="php">
<![CDATA[
<?php
// Use of session_register() is deprecated
$barney = "A big purple dinosaur.";
session_register("barney");
// Use of $_SESSION is preferred
$_SESSION["zim"] = "An invader from another planet.";
?>
]]>
</programlisting>
</informalexample>
</para>
<para>
If <function>session_start</function> was not called before this function
is called, an implicit call to <function>session_start</function> with no
parameters will be made. <varname>$_SESSION</varname> does not mimic
this behavior and requires <function>session_start</function> before use.
</para>
&warn.deprecated.function-5-3-0.removed-5-4-0;
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<para>
<variablelist>
<varlistentry>
<term><parameter>name</parameter></term>
<listitem>
<para>
A string holding the name of a variable or an array consisting of
variable names or other arrays.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>names</parameter></term>
<listitem>
<para>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
&return.success;
</para>
</refsect1>
<refsect1 role="notes">
&reftitle.notes;
<caution>
<para>
If you want your script to work regardless of <link
linkend="ini.register-globals">register_globals</link>, you need to
instead use the <varname>$_SESSION</varname> array as
<varname>$_SESSION</varname> entries are automatically registered. If
your script uses <function>session_register</function>, it will not work
in environments where the PHP directive <link
linkend="ini.register-globals">register_globals</link> is disabled.
</para>
</caution>
&note.registerglobals;
<caution>
<para>
This registers a <emphasis>global</emphasis> variable. If you want to
register a session variable from within a function, you need to make sure
to make it global using the <link
linkend="language.variables.scope"><command>global</command></link>
keyword or the <varname>$GLOBALS[]</varname> array, or use the special
session arrays as noted below.
</para>
</caution>
<caution>
<para>
If you are using <varname>$_SESSION</varname>, do not use
<function>session_register</function>,
<function>session_is_registered</function>, and
<function>session_unregister</function>.
</para>
</caution>
<note>
<para>
It is currently impossible to register resource variables in a session.
For example, you cannot create a connection to a database and store the
connection id as a session variable and expect the connection to still be
valid the next time the session is restored. PHP functions that return a
resource are identified by having a return type of
<literal>resource</literal> in their function definition. A list of
functions that return resources are available in the <link
linkend="resource">resource types</link> appendix.
</para>
<para>
If <varname>$_SESSION</varname> is used, assign values to
<varname>$_SESSION</varname>. For example: $_SESSION['var'] = 'ABC';
</para>
</note>
</refsect1>
<refsect1 role="seealso">
&reftitle.seealso;
<para>
<simplelist>
<member><function>session_is_registered</function></member>
<member><function>session_unregister</function></member>
<member><varname>$_SESSION</varname></member>
</simplelist>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->

View file

@ -1014,14 +1014,6 @@
</variablelist>
</para>
<para>
The
<link
linkend="ini.register-globals"><literal>register_globals</literal></link>
configuration settings influence how the session variables get
stored and restored.
</para>
<para>
Upload progress will not be registered unless
session.upload_progress.enabled is enabled, and the

View file

@ -1,161 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<!-- splitted from ./index.xml, last change in rev 1.66 -->
<chapter xml:id="security.globals" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
<title>Using Register Globals</title>
&warn.deprecated.feature-5-3-0.removed-5-4-0;
<para>
Perhaps the most controversial change in <acronym>PHP</acronym> is when the default value
for the <acronym>PHP</acronym> directive <link linkend="ini.register-globals">
register_globals</link> went from ON to OFF in <acronym>PHP</acronym>
<link xlink:href="&url.php.release4.2.0;">4.2.0</link>. Reliance on this
directive was quite common and many people didn't even know it existed
and assumed it's just how <acronym>PHP</acronym> works. This page will explain how one can
write insecure code with this directive but keep in mind that the
directive itself isn't insecure but rather it's the misuse of it.
</para>
<para>
When on, register_globals will inject your scripts with all
sorts of variables, like request variables from <acronym>HTML</acronym> forms. This
coupled with the fact that <acronym>PHP</acronym> doesn't require variable initialization
means writing insecure code is that much easier. It was a difficult
decision, but the <acronym>PHP</acronym> community decided to disable this directive by
default. When on, people use variables yet really don't know for sure
where they come from and can only assume. Internal variables that are
defined in the script itself get mixed up with request data sent by
users and disabling register_globals changes this. Let's demonstrate
with an example misuse of register_globals:
</para>
<para>
<example>
<title>Example misuse with register_globals = on</title>
<programlisting role="php">
<![CDATA[
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
]]>
</programlisting>
</example>
</para>
<para>
When register_globals = on, our logic above may be compromised. When
off, <varname>$authorized</varname> can't be set via request so it'll
be fine, although it really is generally a good programming practice to
initialize variables first. For example, in our example above we might
have first done <literal>$authorized = false</literal>. Doing this
first means our above code would work with register_globals on or off as
users by default would be unauthorized.
</para>
<para>
Another example is that of <link linkend="ref.session">sessions</link>.
When register_globals = on, we could also use
<varname>$username</varname> in our example below but again you must
realize that <varname>$username</varname> could also come from other
means, such as GET (through the <acronym>URL</acronym>).
</para>
<para>
<example>
<title>Example use of sessions with register_globals on or off</title>
<programlisting role="php">
<![CDATA[
<?php
// We wouldn't know where $username came from but do know $_SESSION is
// for session data
if (isset($_SESSION['username'])) {
echo "Hello <b>{$_SESSION['username']}</b>";
} else {
echo "Hello <b>Guest</b><br />";
echo "Would you like to login?";
}
?>
]]>
</programlisting>
</example>
</para>
<para>
It's even possible to take preventative measures to warn when forging is
being attempted. If you know ahead of time exactly where a variable
should be coming from, you can check to see if the submitted data is
coming from an inappropriate kind of submission. While it doesn't
guarantee that data has not been forged, it does require an attacker to
guess the right kind of forging. If you don't care where the request
data comes from, you can use <varname>$_REQUEST</varname> as it contains
a mix of GET, POST and COOKIE data. See also the manual section on
using <link linkend="language.variables.external">variables from external
sources</link>.
</para>
<para>
<example>
<title>Detecting simple variable poisoning</title>
<programlisting role="php">
<![CDATA[
<?php
if (isset($_COOKIE['MAGIC_COOKIE'])) {
// MAGIC_COOKIE comes from a cookie.
// Be sure to validate the cookie data!
} elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE'])) {
mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']);
echo "Security violation, admin has been alerted.";
exit;
} else {
// MAGIC_COOKIE isn't set through this REQUEST
}
?>
]]>
</programlisting>
</example>
</para>
<para>
Of course, simply turning off register_globals does not mean your code
is secure. For every piece of data that is submitted, it should also be
checked in other ways. Always validate your user data and initialize
your variables! To check for uninitialized variables you may turn up
<function>error_reporting</function> to show
<constant>E_NOTICE</constant> level errors.
</para>
<para>
For information about emulating register_globals being On or Off, see this <link linkend="faq.misc.registerglobals">FAQ</link>.
</para>
</chapter>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->