diff --git a/appendices/ini.core.xml b/appendices/ini.core.xml index 7d3dcc8755..966cbe6173 100644 --- a/appendices/ini.core.xml +++ b/appendices/ini.core.xml @@ -36,12 +36,6 @@ PHP_INI_PERDIR - - asp_tags - "0" - PHP_INI_PERDIR - Removed in PHP 7.0.0. - precision "14" @@ -53,22 +47,9 @@ "-1" PHP_INI_ALL - Before PHP 5.3.6, the default value was 100. - Before PHP 7.1.0, the default value was 17. + Prior to PHP 7.1.0, the default value was 17. - - y2k_compliance - "1" - PHP_INI_ALL - Removed in PHP 5.4.0. - - - allow_call_time_pass_reference - "1" - PHP_INI_PERDIR - Removed in PHP 5.4.0. - disable_functions "" @@ -85,7 +66,7 @@ exit_on_timeout "" PHP_INI_ALL - Available since PHP 5.3.0. + expose_php @@ -97,49 +78,43 @@ hard_timeout "2" PHP_INI_SYSTEM - Available since PHP 7.1.0. + Available as of PHP 7.1.0. zend.exception_ignore_args "0" PHP_INI_ALL - Available since PHP 7.4.0 + Available as of PHP 7.4.0 zend.multibyte "0" PHP_INI_ALL - Available since PHP 5.4.0 + zend.script_encoding NULL PHP_INI_ALL - Available since PHP 5.4.0 + - zend.detect-unicode + zend.detect_unicode NULL PHP_INI_ALL - Available since PHP 5.4.0 + zend.signal_check "0" PHP_INI_SYSTEM - Available since PHP 5.4.0 + zend.assertions "1" PHP_INI_ALL with restrictions - Available since PHP 7.0.0. - - - detect_unicode - "1" - PHP_INI_ALL - Available since PHP 5.1.0. Renamed to zend.detect-unicode from PHP 5.4.0. + @@ -167,54 +142,13 @@ - This directive also affected the shorthand - <?= before PHP 5.4.0, - which is identical to <? echo. Use of this - shortcut required short_open_tag - to be on. - Since PHP 5.4.0, <?= is always available. + This directive does not affect the shorthand + <?=, which is always available. - - - asp_tags - bool - - - - Enables the use of ASP-like <% %> tags in addition to - the usual <?php ?> tags. This includes the - variable-value printing shorthand of <%= $value %>. For - more information, see Escaping from HTML. - - - - Changelog for <literal>asp_tags</literal> - - - - &Version; - &Description; - - - - - 7.0.0 - - Removed from PHP. - - - - -
- - - - precision @@ -243,79 +177,6 @@ - - - y2k_compliance - bool - - - - Enforce year 2000 compliance (will cause problems with non-compliant browsers) - - - - - - - - allow_call_time_pass_reference - bool - - - - Whether to warn when arguments are passed by reference at function call time. - The encouraged method of specifying which arguments should be passed by - reference is in the function declaration. You're encouraged to try and turn - this option Off and make sure your scripts work properly with it in order to - ensure they will work with future versions of the language (you will receive - a warning each time you use this feature). - - - Passing arguments by reference at function call time was deprecated for - code-cleanliness reasons. A function can modify its arguments in an - undocumented way if it didn't declare that the argument shall be passed by - reference. To prevent side-effects it's better to specify which - arguments are passed by reference in the function declaration only. - - - See also References Explained. - - - - Changelog for <literal>allow_call_time_pass_reference</literal> - - - - &Version; - &Description; - - - - - 5.4.0 - - Removed from PHP. - - - - 5.3.0 - - Emits an E_DEPRECATED level error. - - - - 5.0.0 - - Deprecated, and generates an E_COMPILE_WARNING level error. - - - - -
- - - - expose_php @@ -325,23 +186,6 @@ Exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.7). - Prior to PHP 5.5.0 the PHP logo guids are also exposed, thus appending them - to the URL of your PHP script would display the appropriate logo - (e.g., &url.php;?=PHPE9568F34-D428-11d2-A769-00AA001ACF42). - This also affected the output of phpinfo, as when disabled, the PHP logo - and credits information would not be displayed. - - - - Since PHP 5.5.0 these guids and the php_logo_guid function - have been removed from PHP and the guids are replaced with data URIs instead. - Thus accessing the PHP logo via appending the guid to the URL no longer works. - Similarly, turning expose_php off will not affect - seeing the PHP logo in phpinfo. - - - - See also php_logo_guid and phpcredits. @@ -537,7 +381,7 @@ memory_limit "128M" PHP_INI_ALL - "8M" before PHP 5.2.0, "16M" in PHP 5.2.0 + @@ -560,14 +404,6 @@ scripts for eating up all available memory on a server. Note that to have no memory limit, set this directive to -1. - - Prior to PHP 5.2.1, in order to use this directive it had to - be enabled at compile time by using - in the - configure line. This compile-time flag was also required to define - the functions memory_get_usage and - memory_get_peak_usage prior to 5.2.1. - &ini.shorthandbytes; @@ -599,13 +435,13 @@ realpath_cache_size "4M" PHP_INI_SYSTEM - Available since PHP 5.1.0. Prior to PHP 7.0.16 and 7.1.2, the default was "16K" + Prior to PHP 7.0.16 and 7.1.2, the default was "16K" realpath_cache_ttl "120" PHP_INI_SYSTEM - Available since PHP 5.1.0. + @@ -691,25 +527,19 @@ variables_order "EGPCS" PHP_INI_PERDIR - PHP_INI_ALL in PHP <= 5.0.5. + request_order "" PHP_INI_PERDIR - Available since PHP 5.3.0 + auto_globals_jit "1" PHP_INI_PERDIR - Available since PHP 5.0.0. - - - register_globals - "0" - PHP_INI_PERDIR - Removed in PHP 5.4.0. + register_argc_argv @@ -717,17 +547,11 @@ PHP_INI_PERDIR - - register_long_arrays - "1" - PHP_INI_PERDIR - Deprecated in PHP 5.3.0. Removed in PHP 5.4.0. - enable_post_data_reading "1" PHP_INI_PERDIR - Available since PHP 5.4.0 + Available as of PHP 5.4.0 post_max_size @@ -757,13 +581,25 @@ default_charset "UTF-8" PHP_INI_ALL - Defaults to "UTF-8" since PHP >= 5.6.0; empty for PHP < 5.6.0. + - always_populate_raw_post_data - "0" - PHP_INI_PERDIR - Removed in PHP 7.0.0. + input_encoding + "" + PHP_INI_ALL + + + + output_encoding + "" + PHP_INI_ALL + + + + internal_encoding + "" + PHP_INI_ALL + @@ -821,21 +657,6 @@ $_COOKIE. Setting to "" means no &link.superglobals; will be set. - - If the deprecated - register_globals - directive is on, then variables_order also - configures the order the ENV, - GET, POST, - COOKIE and SERVER variables - are populated in global scope. So for example if variables_order - is set to "EGPCS", register_globals is enabled, - and both $_GET['action'] and - $_POST['action'] are set, then - $action will contain the value of - $_POST['action'] as P comes - after G in our example directive value. - In both the CGI and FastCGI SAPIs, @@ -890,15 +711,6 @@ variables are not used within a script, having this directive on will result in a performance gain. - - The PHP directives - register_globals, - register_long_arrays, - and register_argc_argv - must be disabled for this directive to have any affect. Since PHP - 5.1.3 it is not necessary to have register_argc_argv disabled. - Usage of SERVER, REQUEST, and ENV variables is checked during the compile time @@ -910,43 +722,6 @@ - - - register_globals - bool - - - - Whether or not to register the EGPCS (Environment, GET, - POST, Cookie, Server) variables as global variables. - - - As of PHP 4.2.0, - this directive defaults to off. - - - Please read the security chapter on - Using register_globals - for related information. - - - Please note that register_globals - cannot be set at runtime (ini_set). Although, you can - use &htaccess; if your host allows it as described - above. An example &htaccess; entry: - php_flag register_globals off. - - - - register_globals is affected - by the variables_order - directive. - - - &warn.deprecated.feature-5-3-0.removed-5-4-0; - - - register_argc_argv @@ -963,29 +738,6 @@ - - - register_long_arrays - bool - - - - Tells PHP whether or not to register the deprecated long - $HTTP_*_VARS type - predefined - variables. When On (default), long predefined PHP - variables like $HTTP_GET_VARS will be defined. - If you're not using them, it's recommended to turn them off, - for performance reasons. Instead, use the superglobal arrays, - like $_GET. - - - This directive became available in PHP 5.0.0. - - &warn.deprecated.feature-5-3-0.removed-5-4-0; - - - enable_post_data_reading @@ -1137,7 +889,7 @@ - In PHP 5.6 onwards, "UTF-8" is the default value and its value is used + "UTF-8" is the default value and its value is used as the default character encoding for htmlentities, html_entity_decode and @@ -1175,7 +927,7 @@ - Available from PHP 5.6.0. This setting is used for multibyte modules + This setting is used for multibyte modules such as mbstring and iconv. Default is empty. @@ -1188,7 +940,7 @@ - Available from PHP 5.6.0. This setting is used for multibyte modules + This setting is used for multibyte modules such as mbstring and iconv. Default is empty. @@ -1201,42 +953,13 @@ - Available from PHP 5.6.0. This setting is used for multibyte modules + This setting is used for multibyte modules such as mbstring and iconv. Default is empty. If empty, default_charset is used. - - - always_populate_raw_post_data - mixed - - - &warn.deprecated.feature-5-6-0.removed-7-0-0; - - If set to &true;, PHP will always populate the - $HTTP_RAW_POST_DATA containing the raw POST data. - Otherwise, the variable is populated only when the MIME type of the - data is unrecognised. - - - The preferred method for accessing raw POST data is - php://input, and - $HTTP_RAW_POST_DATA is deprecated in PHP 5.6.0 - onwards. Setting always_populate_raw_post_data - to -1 will opt into the new behaviour that will be - implemented in a future version of PHP, in which - $HTTP_RAW_POST_DATA is never defined. - - - Regardless of the setting, $HTTP_RAW_POST_DATA is - not available with enctype="multipart/form-data". - - - - @@ -1272,7 +995,7 @@ open_basedir NULL PHP_INI_ALL - PHP_INI_SYSTEM in PHP < 5.3.0 + doc_root @@ -1290,13 +1013,13 @@ user_ini.cache_ttl "300" PHP_INI_SYSTEM - Available since PHP 5.3.0. + user_ini.filename ".user.ini" PHP_INI_SYSTEM - Available since PHP 5.3.0. + extension_dir @@ -1316,59 +1039,41 @@ &php.ini; only - - zend_extension_debug - NULL - &php.ini; only - Available before PHP 5.3.0. - - - zend_extension_debug_ts - NULL - &php.ini; only - Available before PHP 5.3.0. - - - zend_extension_ts - NULL - &php.ini; only - Available before PHP 5.3.0. - cgi.check_shebang_line "1" PHP_INI_SYSTEM - Available since PHP 5.2.0. + cgi.discard_path "0" PHP_INI_SYSTEM - Available since PHP 5.3.0. + cgi.fix_pathinfo "1" PHP_INI_SYSTEM - PHP_INI_ALL prior to PHP 5.2.1. + cgi.force_redirect "1" PHP_INI_SYSTEM - PHP_INI_ALL prior to PHP 5.2.1. + cgi.nph "0" PHP_INI_SYSTEM - Available since PHP 5.3.0. + cgi.redirect_status_env NULL PHP_INI_SYSTEM - PHP_INI_ALL prior to PHP 5.2.1. + cgi.rfc2616_headers @@ -1380,13 +1085,13 @@ fastcgi.impersonate "0" PHP_INI_SYSTEM - PHP_INI_ALL prior to PHP 5.2.1. + fastcgi.logging "1" PHP_INI_SYSTEM - PHP_INI_ALL prior to PHP 5.2.1. + @@ -1521,19 +1226,14 @@ include_path = ".:${USER}/pear/php" The restriction specified with is a - directory name since PHP 5.2.16 and 5.3.4. Previous versions used it - as a prefix. This means that "open_basedir - = /dir/incl" also allowed access to "/dir/include" and - "/dir/incls" if they exist. When you want to restrict access - to only the specified directory, end with a slash. For example: - open_basedir = /dir/incl/ + directory name, not a prefix. The default is to allow all files to be opened. - As of PHP 5.3.0 open_basedir can be tightened at run-time. This means + open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in &php.ini; a script can tighten the configuration to /www/tmp/ at run-time with @@ -1644,46 +1344,6 @@ include_path = ".:${USER}/pear/php" - - - zend_extension_debug - string - - - - Variant of zend_extension - for extensions compiled with debug info prior to PHP 5.3.0. - - - - - - - zend_extension_debug_ts - string - - - - Variant of zend_extension - for extensions compiled with debug info and thread safety prior to PHP - 5.3.0. - - - - - - - zend_extension_ts - string - - - - Variant of zend_extension - for extensions compiled with thread safety prior to PHP 5.3.0. - - - - cgi.check_shebang_line @@ -1881,13 +1541,13 @@ include_path = ".:${USER}/pear/php" max_input_nesting_level 64 PHP_INI_PERDIR - Available since PHP 5.3.9. + max_input_vars 1000 PHP_INI_PERDIR - Available since PHP 5.3.9. + upload_max_filesize @@ -1899,7 +1559,7 @@ include_path = ".:${USER}/pear/php" max_file_uploads 20 PHP_INI_SYSTEM - Available since PHP 5.2.12. + @@ -1998,7 +1658,7 @@ include_path = ".:${USER}/pear/php" sql.safe_mode "0" PHP_INI_SYSTEM - Removed in PHP 7.2.0 + Removed as of PHP 7.2.0 @@ -2051,7 +1711,7 @@ include_path = ".:${USER}/pear/php" windows.show_crt_warning "0" PHP_INI_ALL - Available since PHP 5.4.0. + @@ -2069,8 +1729,7 @@ include_path = ".:${USER}/pear/php" - This directive shows the Windows CRT warnings when enabled. These - warnings were displayed by default until PHP 5.4.0. + This directive shows the Windows CRT warnings when enabled. diff --git a/appendices/ini.list.xml b/appendices/ini.list.xml index d31c6ba5c5..e6acb43fad 100644 --- a/appendices/ini.list.xml +++ b/appendices/ini.list.xml @@ -24,12 +24,6 @@ - - allow_call_time_pass_reference - "1" - PHP_INI_PERDIR - Removed in PHP 5.4.0. - allow_url_fopen "1" @@ -42,12 +36,6 @@ PHP_INI_SYSTEM Available since PHP 5.2.0. Deprecated as of PHP 7.4.0. - - always_populate_raw_post_data - "0" - PHP_INI_PERDIR - - arg_separator.input "&" @@ -60,12 +48,6 @@ PHP_INI_ALL - - asp_tags - "0" - PHP_INI_PERDIR - Removed in PHP 7.0.0. - assert.active "1" @@ -1871,18 +1853,6 @@ PHP_INI_PERDIR - - register_globals - "0" - PHP_INI_PERDIR - Deprecated in PHP 5.3.0. Removed in PHP 5.4.0. - - - register_long_arrays - "1" - PHP_INI_PERDIR - Deprecated in PHP 5.3.0. Removed in PHP 5.4.0. - report_memleaks "1" @@ -2249,12 +2219,6 @@ PHP_INI_ALL Available since PHP 5.5.0. - - y2k_compliance - "1" - PHP_INI_ALL - Removed in PHP 5.4.0. - yami.response.timeout "5" @@ -2315,24 +2279,6 @@ &php.ini; only - - zend_extension_debug - NULL - &php.ini; only - - - - zend_extension_debug_ts - NULL - &php.ini; only - - - - zend_extension_ts - NULL - &php.ini; only - - zlib.output_compression "0" diff --git a/appendices/migration56/deprecated.xml b/appendices/migration56/deprecated.xml index c2436d4393..18ee23cabb 100644 --- a/appendices/migration56/deprecated.xml +++ b/appendices/migration56/deprecated.xml @@ -45,10 +45,10 @@ B - <varname>$HTTP_RAW_POST_DATA</varname> and <link linkend="ini.always-populate-raw-post-data">always_populate_raw_post_data</link> + <varname>$HTTP_RAW_POST_DATA</varname> and <literal>always_populate_raw_post_data</literal> - always_populate_raw_post_data + always_populate_raw_post_data will now generate an E_DEPRECATED error when $HTTP_RAW_POST_DATA is populated. New code should use @@ -57,7 +57,7 @@ B in a future release. You can opt in for the new behaviour (in which $HTTP_RAW_POST_DATA is never defined hence no E_DEPRECATED error will be generated) by setting - always_populate_raw_post_data + always_populate_raw_post_data to -1. diff --git a/appendices/migration70/incompatible/removed-ini-directives.xml b/appendices/migration70/incompatible/removed-ini-directives.xml index 60a81a5ffe..f1b0968a52 100644 --- a/appendices/migration70/incompatible/removed-ini-directives.xml +++ b/appendices/migration70/incompatible/removed-ini-directives.xml @@ -15,12 +15,12 @@ - always_populate_raw_post_data + always_populate_raw_post_data - asp_tags + asp_tags diff --git a/chapters/tutorial.xml b/chapters/tutorial.xml index 9aebb04e68..96ade8f128 100644 --- a/chapters/tutorial.xml +++ b/chapters/tutorial.xml @@ -483,7 +483,7 @@ Hi Joe. You are 22 years old. External variables are no longer registered in the global scope by default. In other words, as of PHP 4.2.0 the PHP directive - register_globals is + register_globals is off by default in &php.ini;. The preferred method of accessing these values is via the superglobal arrays mentioned above. Older scripts, books, and tutorials may rely on this diff --git a/faq/misc.xml b/faq/misc.xml index 0d5f20f35e..755bc61b11 100644 --- a/faq/misc.xml +++ b/faq/misc.xml @@ -75,125 +75,6 @@ - - - - - What does & beside argument mean in function declaration of e.g. - asort? - - - - - It means that the argument is - passed by reference and - the function will likely modify it corresponding to the documentation. You - can pass only variables this way and you don't need to pass them with - & in function call (it's even - deprecated). - - - - - - - - How do I deal with register_globals? - - - - - For information about the security implications of - register_globals, read the security chapter on - Using register_globals. - - - It's preferred to use - superglobals, - rather than relying upon register_globals being on. - - - If you are on a shared host with register_globals turned - off and need to use some legacy applications, which require this option - to be turned on, or you are on some hosting server, where this feature - is turned on, but you would like to eliminate security risks, you might - need to emulate the opposite setting with PHP. It is always a good idea to - first ask if it would be possible to change the option somehow in PHP's - configuration, but if it is not possible, then you can use these - compatibility snippets. - - - - Emulating Register Globals - - This will emulate register_globals On. If you altered your - variables_order directive, - consider changing the $superglobals accordingly. - - - -]]> - - - This will emulate register_globals Off. Keep in mind, that this code - should be called at the very beginning of your script, or after - session_start if you use it to start your session. - - - $v) { - if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) { - unset($GLOBALS[$k]); - } - } -} - -unregister_GLOBALS(); - -?> -]]> - - - - - diff --git a/faq/using.xml b/faq/using.xml index f0eb3eb303..a539944ff7 100644 --- a/faq/using.xml +++ b/faq/using.xml @@ -100,68 +100,6 @@ if (empty($empty)) { - - - - How does the PHP directive register_globals affect me? - - - - &warn.deprecated.feature-5-3-0.removed-5-4-0; - - First, an explanation about what this ini setting does. Let's say the - following URL is used: - http://example.com/foo.php?animal=cat - and in foo.php we might have the following - PHP code: - - - - -]]> - - - - The code above demonstrates how register_globals creates a lot of - variables. For years this type of coding has been frowned upon, and for - years it's been disabled by default. So although most web hosts disable - register_globals, there are still outdated articles, tutorials, and books - that require it to be on. Plan accordingly. - - - See also the following resources for additional information: - - The register_globals directive - The security chapter about register globals - Handling external variables - Use superglobals instead - - - - - In the example above, we used an URL that contained - a QUERY_STRING. Passing information like this is done through a GET HTTP - Request, so this is why the superglobal $_GET was used. - - - - - @@ -397,25 +335,9 @@ foreach ($headers as $name => $content) { - It's important to realize that the PHP directive register_globals also affects - server and environment variables. When register_globals = off (the - default is off since PHP 4.2.0), $DOCUMENT_ROOT - will not exist. Instead, use $_SERVER['DOCUMENT_ROOT'] - . If register_globals = on then the variables - $DOCUMENT_ROOT and - $GLOBALS['DOCUMENT_ROOT'] will also exist. + Use $_SERVER['DOCUMENT_ROOT'] and + $_SERVER['HTTP_REFERER'] instead. - - If you're sure register_globals = on and wonder why - $DOCUMENT_ROOT isn't available inside functions, - it's because these are like any other variables and would - require global $DOCUMENT_ROOT inside the - function. See also the manual page on - variable scope. It's - preferred to code with register_globals = off. - - diff --git a/features/cookies.xml b/features/cookies.xml index 6159e535c7..5c7ac7b8bf 100644 --- a/features/cookies.xml +++ b/features/cookies.xml @@ -24,13 +24,6 @@ cookie, just add [] to the cookie name. - - On older PHP systems (5.3 or earlier), - register_globals may be enabled, - which may cause undesirable and insecure operation. If this is enabled, cookies will - be registered as global variables. - - For more details, including notes on browser bugs, see the setcookie and setrawcookie diff --git a/features/file-upload.xml b/features/file-upload.xml index 426eb0de22..339264243f 100644 --- a/features/file-upload.xml +++ b/features/file-upload.xml @@ -435,10 +435,6 @@ foreach ($_FILES["pictures"]["error"] as $key => $error) { $_FILES['userfile']['name'], and $_FILES['userfile']['size'] will be initialized. - When - register_globals is on, globals for uploaded - files are also initialized. Each of these will be a numerically - indexed array of the appropriate values for the submitted files. For instance, assume that the filenames diff --git a/language-snippets.ent b/language-snippets.ent index 01bf4f0ea9..5c90cfe5f4 100644 --- a/language-snippets.ent +++ b/language-snippets.ent @@ -101,7 +101,7 @@ to seed the random number generator with srand or register_globals: important noteAs of PHP 4.2.0, the default value for the PHP directive -register_globals is +register_globals is off. The PHP community discourages developers from relying on this directive, and encourages the use of other means, such as the &link.superglobals;.'> @@ -607,7 +607,7 @@ use.'> predefined variable arrays may be disabled with the -register_long_arrays +register_long_arrays directive.'> When an int is used, the diff --git a/language/wrappers/php.xml b/language/wrappers/php.xml index 1ff4cf9aa5..b72abd763f 100644 --- a/language/wrappers/php.xml +++ b/language/wrappers/php.xml @@ -46,8 +46,8 @@ preferable to use php://input instead of $HTTP_RAW_POST_DATA as it does not depend on special &php.ini; directives. Moreover, for those cases where $HTTP_RAW_POST_DATA is not populated by default, it is a - potentially less memory intensive alternative to activating always_populate_raw_post_data. + potentially less memory intensive alternative to activating + always_populate_raw_post_data. php://input is not available with enctype="multipart/form-data". diff --git a/reference/session/functions/session-register.xml b/reference/session/functions/session-register.xml deleted file mode 100644 index 0020799e54..0000000000 --- a/reference/session/functions/session-register.xml +++ /dev/null @@ -1,163 +0,0 @@ - - - - - session_register - Register one or more global variables with the current session - - - - &reftitle.description; - - boolsession_register - mixedname - mixednames - - - session_register accepts a variable number of - arguments, any of which can be either a string holding the name of a - variable or an array consisting of variable names or other arrays. For - each name, session_register registers the global - variable with that name in the current session. - - - You can also create a session variable by simply setting the - appropriate member of the $_SESSION array. - - - -]]> - - - - - If session_start was not called before this function - is called, an implicit call to session_start with no - parameters will be made. $_SESSION does not mimic - this behavior and requires session_start before use. - - &warn.deprecated.function-5-3-0.removed-5-4-0; - - - - &reftitle.parameters; - - - - name - - - A string holding the name of a variable or an array consisting of - variable names or other arrays. - - - - - names - - - - - - - - - - - &reftitle.returnvalues; - - &return.success; - - - - - &reftitle.notes; - - - If you want your script to work regardless of register_globals, you need to - instead use the $_SESSION array as - $_SESSION entries are automatically registered. If - your script uses session_register, it will not work - in environments where the PHP directive register_globals is disabled. - - - ¬e.registerglobals; - - - This registers a global variable. If you want to - register a session variable from within a function, you need to make sure - to make it global using the global - keyword or the $GLOBALS[] array, or use the special - session arrays as noted below. - - - - - If you are using $_SESSION, do not use - session_register, - session_is_registered, and - session_unregister. - - - - - It is currently impossible to register resource variables in a session. - For example, you cannot create a connection to a database and store the - connection id as a session variable and expect the connection to still be - valid the next time the session is restored. PHP functions that return a - resource are identified by having a return type of - resource in their function definition. A list of - functions that return resources are available in the resource types appendix. - - - If $_SESSION is used, assign values to - $_SESSION. For example: $_SESSION['var'] = 'ABC'; - - - - - - &reftitle.seealso; - - - session_is_registered - session_unregister - $_SESSION - - - - - - - diff --git a/reference/session/ini.xml b/reference/session/ini.xml index fafe751c27..bece5cddd2 100644 --- a/reference/session/ini.xml +++ b/reference/session/ini.xml @@ -1014,14 +1014,6 @@ - - The - register_globals - configuration settings influence how the session variables get - stored and restored. - - Upload progress will not be registered unless session.upload_progress.enabled is enabled, and the diff --git a/security/globals.xml b/security/globals.xml deleted file mode 100644 index b567ef43e8..0000000000 --- a/security/globals.xml +++ /dev/null @@ -1,161 +0,0 @@ - - - - - Using Register Globals - &warn.deprecated.feature-5-3-0.removed-5-4-0; - - Perhaps the most controversial change in PHP is when the default value - for the PHP directive - register_globals went from ON to OFF in PHP - 4.2.0. Reliance on this - directive was quite common and many people didn't even know it existed - and assumed it's just how PHP works. This page will explain how one can - write insecure code with this directive but keep in mind that the - directive itself isn't insecure but rather it's the misuse of it. - - - When on, register_globals will inject your scripts with all - sorts of variables, like request variables from HTML forms. This - coupled with the fact that PHP doesn't require variable initialization - means writing insecure code is that much easier. It was a difficult - decision, but the PHP community decided to disable this directive by - default. When on, people use variables yet really don't know for sure - where they come from and can only assume. Internal variables that are - defined in the script itself get mixed up with request data sent by - users and disabling register_globals changes this. Let's demonstrate - with an example misuse of register_globals: - - - - Example misuse with register_globals = on - - -]]> - - - - - When register_globals = on, our logic above may be compromised. When - off, $authorized can't be set via request so it'll - be fine, although it really is generally a good programming practice to - initialize variables first. For example, in our example above we might - have first done $authorized = false. Doing this - first means our above code would work with register_globals on or off as - users by default would be unauthorized. - - - Another example is that of sessions. - When register_globals = on, we could also use - $username in our example below but again you must - realize that $username could also come from other - means, such as GET (through the URL). - - - - Example use of sessions with register_globals on or off - -{$_SESSION['username']}"; - -} else { - - echo "Hello Guest
"; - echo "Would you like to login?"; - -} -?> -]]> - - - - - It's even possible to take preventative measures to warn when forging is - being attempted. If you know ahead of time exactly where a variable - should be coming from, you can check to see if the submitted data is - coming from an inappropriate kind of submission. While it doesn't - guarantee that data has not been forged, it does require an attacker to - guess the right kind of forging. If you don't care where the request - data comes from, you can use $_REQUEST as it contains - a mix of GET, POST and COOKIE data. See also the manual section on - using variables from external - sources. - - - - Detecting simple variable poisoning - - -]]> - - - - - Of course, simply turning off register_globals does not mean your code - is secure. For every piece of data that is submitted, it should also be - checked in other ways. Always validate your user data and initialize - your variables! To check for uninitialized variables you may turn up - error_reporting to show - E_NOTICE level errors. - - - For information about emulating register_globals being On or Off, see this FAQ. - - - -