xref: /web-php/releases/4_1_0.php (revision f1cb7e74)
1<?php
2$_SERVER['BASE_PAGE'] = 'releases/4_1_0.php';
3include_once __DIR__ . '/../include/prepend.inc';
4site_header("PHP 4.1.0 Release Announcement");
5?>
6
7<h1>PHP 4.1.0 Release Announcement</h1>
8
9<p>
10 After a lengthy QA process, PHP 4.1.0 is <a href="/downloads.php">finally out</a>!<br>
11 [ <a href="/releases/4_1_0_fr.php">Version Fran&ccedil;aise</a> ]
12</p>
13
14<p> PHP 4.1.0 includes several other key improvements:</p>
15<ul>
16 <li>A new input interface for improved security (read below)</li>
17 <li>Highly improved performance in general</li>
18 <li>
19  Revolutionary performance and stability improvements under
20  Windows.  The multithreaded server modules under Windows (ISAPI,
21  Apache, etc.) perform as much as 30 times faster under load!  We
22  want to thank Brett Brewer and his team in Microsoft for working
23  with us to improve PHP for Windows.
24 </li>
25 <li>
26  Versioning support for extensions.  Right now it's barely being
27  used, but the infrastructure was put in place to support separate
28  version numbers for different extensions.  The negative side effect
29  is that loading extensions that were built against old versions of
30  PHP will now result in a crash, instead of in a nice clear message.
31  Make sure you only use extensions built with PHP 4.1.0.
32 </li>
33 <li>Turn-key output compression support</li>
34 <li><strong>LOTS</strong> of fixes and new functions</li>
35</ul>
36
37<p>
38 As some of you may notice, this version is quite historic, as it's
39 the first time in history we actually incremented the middle digit! :)
40 The two key reasons for this unprecedented change were the new input
41 interface, and the broken binary compatibility of modules due to the
42 versioning support.
43</p>
44
45<p>
46 Following is a description of the new input mechanism. For a full list of
47 changes in PHP 4.1.0, see the <a href="/ChangeLog-4.php#4.1.0">ChangeLog</a>.
48</p>
49
50<hr>
51
52<h2>SECURITY: NEW INPUT MECHANISM</h2>
53
54<p>
55 First and foremost, it's important to stress that regardless of
56 anything you may read in the following lines, PHP 4.1.0 <strong>still
57 supports</strong> the old input mechanisms from older versions.
58 Old applications should go on working fine without modification!
59</p>
60
61<p>Now that we have that behind us, let's move on :)</p>
62
63<p>
64 For various reasons, PHP setups which rely on register_globals
65 being on (i.e., on form, server and environment variables becoming
66 a part of the global namespace, automatically) are very often
67 exploitable to various degrees.  For example, the piece of code:
68</p>
69
70<?php highlight_php('<?php
71if (authenticate_user()) {
72  $authenticated = true;
73}
74...
75?>');?>
76
77<p>
78 May be exploitable, as remote users can simply pass on 'authenticated'
79 as a form variable, and then even if authenticate_user() returns false,
80 $authenticated will actually be set to true.  While this looks like a
81 simple example, in reality, quite a few PHP applications ended up being
82 exploitable by things related to this misfeature.
83</p>
84
85<p>
86 While it is quite possible to write secure code in PHP, we felt that the
87 fact that PHP makes it too easy to write insecure code was bad, and we've
88 decided to attempt a far-reaching change, and deprecate register_globals.
89 Obviously, because the vast majority of the PHP code in the world relies
90 on the existence of this feature, we have no plans to actually remove it
91 from PHP anytime in the foreseeable future, but we've decided to encourage
92 people to shut it off whenever possible.
93</p>
94
95<p>
96 To help users build PHP applications with register_globals being off,
97 we've added several new special variables that can be used instead of the
98 old global variables. There are 7 new special arrays:
99</p>
100
101<ul>
102 <li>$_GET - contains form variables sent through GET</li>
103 <li>$_POST - contains form variables sent through POST</li>
104 <li>$_COOKIE - contains HTTP cookie variables</li>
105 <li>$_SERVER - contains server variables (e.g., REMOTE_ADDR)</li>
106 <li>$_ENV - contains the environment variables</li>
107 <li>
108  $_REQUEST - a merge of the GET variables, POST variables and Cookie variables.
109  In other words - all the information that is coming from the user,
110  and that from a security point of view, cannot be trusted.
111 </li>
112 <li>$_SESSION - contains HTTP variables registered by the session module</li>
113</ul>
114
115<p>
116 Now, other than the fact that these variables contain this special information,
117 they're also special in another way - they're automatically global in any
118 scope. This means that you can access them anywhere, without having to
119 'global' them first. For example:
120</p>
121
122<?php highlight_php('<?php
123function example1()
124{
125	print $_GET["name"];   // works, \'global $_GET;\' is not necessary!
126}
127?>');?>
128
129<p>
130 would work fine! We hope that this fact would ease the pain in migrating
131 old code to new code a bit, and we're confident it's going to make writing
132 new code easier. Another neat trick is that creating new entries in the
133 $_SESSION array will automatically register them as session variables, as
134 if you called session_register(). This trick is limited to the session
135 module only - for example, setting new entries in $_ENV will
136 <strong>not</strong> perform an implicit putenv().
137</p>
138
139<p>
140 PHP 4.1.0 still defaults to have register_globals set to on. It's a
141 transitional version, and we encourage application authors, especially
142 public ones which are used by a wide audience, to change their applications
143 to work in an environment where register_globals is set to off. Of course,
144 they should take advantage of the new features supplied in PHP 4.1.0 that
145 make this transition much easier.
146</p>
147
148<p>
149 As of the next semi-major version of PHP, new installations of PHP will
150 default to having register_globals set to off. No worries! Existing
151 installations, which already have a php.ini file that has register_globals
152 set to on, will not be affected. Only when you install PHP on a brand new
153 machine (typically, if you're a brand new user), will this affect you, and
154 then too - you can turn it on if you choose to.
155</p>
156
157<p>
158 Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names
159 still work, but we encourage users to switch to the new shorter, and
160 auto-global versions.
161</p>
162
163<p>
164 Thanks go to Shaun Clowes (shaun at securereality dot com dot au) for
165 pointing out this problem and for analyzing it.
166</p>
167
168<?php site_footer(); ?>
169