PHP

From Wikipedia, the free encyclopedia
Jump to: navigation, search
PHP
PHP-logo.svg
PHP: Hypertext Preprocessor
Paradigm(s) imperative, functional, object-oriented, procedural, reflective
Appeared in 1995; 19 years ago (1995)[1]
Designed by Rasmus Lerdorf
Developer The PHP Group
Stable release 5.5.8 (January 10, 2014; 27 days ago (2014-01-10))
Typing discipline Dynamic, weak
Major implementations Zend Engine, Phalanger, Quercus, Project Zero, HipHop
Influenced by Perl, C, C++, Java, Tcl[1]
Implementation language C
OS Cross-platform
License PHP License
Website www.php.net

PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. PHP is now installed on more than 244 million websites and 2.1 million web servers.[2] Originally created by Rasmus Lerdorf in 1995, the reference implementation of PHP is now produced by The PHP Group.[3] While PHP originally stood for Personal Home Page,[4] it now stands for PHP: Hypertext Preprocessor, a recursive backronym.[5]

PHP code is interpreted by a web server with a PHP processor module, which generates the resulting web page: PHP commands can be embedded directly into an HTML source document rather than calling an external file to process data. It has also evolved to include a command-line interface capability and can be used in standalone graphical applications.[6]

PHP is free software released under the PHP License. PHP can be deployed on most web servers and also as a standalone shell on almost every operating system and platform, free of charge.[7]

History[edit]

Rasmus Lerdorf, who wrote the original Common Gateway Interface (CGI) component, together with Andi Gutmans and Zeev Suraski, who rewrote the parser that formed PHP 3.

PHP development began in 1994 when the developer Rasmus Lerdorf wrote a series of Common Gateway Interface (CGI) Perl scripts, which he used to maintain his personal homepage. The tools performed tasks such as displaying his résumé and recording his web traffic.[3][8][9] He rewrote these scripts in C for performance reasons, extending them to add the ability to work with web forms and to communicate with databases, and called this implementation "Personal Home Page/Forms Interpreter" or PHP/FI.

PHP/FI could be used to build simple, dynamic web applications. Lerdorf initially announced the release of PHP/FI as "Personal Home Page Tools (PHP Tools) version 1.0" publicly to accelerate bug location and improve the code, on the comp.infosystems.www.authoring.cgi Usenet discussion group on June 8, 1995.[10][11] This release already had the basic functionality that PHP has as of 2013. This included Perl-like variables, form handling, and the ability to embed HTML. The syntax resembled that of Perl but was simpler, more limited and less consistent.[3]

Early PHP was not intended to be a new programming language, and grew organically, with Lerdorf noting in retrospect: "I don’t know how to stop it, there was never any intent to write a programming language […] I have absolutely no idea how to write a programming language, I just kept adding the next logical step on the way."[12] A development team began to form and, after months of work and beta testing, officially released PHP/FI 2 in November 1997.

Zeev Suraski and Andi Gutmans rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to the recursive acronym PHP: Hypertext Preprocessor.[3] Afterwards, public testing of PHP 3 began, and the official launch came in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend Engine in 1999.[13] They also founded Zend Technologies in Ramat Gan, Israel.[3]

On May 22, 2000, PHP 4, powered by the Zend Engine 1.0, was released.[3] As of August 2008 this branch reached version 4.4.9. PHP 4 is no longer under development nor will any security updates be released.[14][15]

On July 13, 2004, PHP 5 was released, powered by the new Zend Engine II.[3] PHP 5 included new features such as improved support for object-oriented programming, the PHP Data Objects (PDO) extension (which defines a lightweight and consistent interface for accessing databases), and numerous performance enhancements.[16] In 2008 PHP 5 became the only stable version under development. Late static binding had been missing from PHP and was added in version 5.3.[17][18]

A new major version has been under development alongside PHP 5 for several years. This version was originally planned to be released as PHP 6 as a result of its significant changes, which included plans for full Unicode support. However, Unicode support took developers much longer to implement than originally thought, and the decision was made in March 2010[19] to move the project to a branch, with features still under development moved to trunk.

Changes in the new code include the removal of register_globals,[20] magic quotes, and safe mode.[14][21] The reason for the removals was that register_globals had opened security holes by intentionally allowing runtime data injection, and the use of magic quotes had an unpredictable nature. Instead, to escape characters, magic quotes may be replaced with the addslashes() function, or more appropriately an escape mechanism specific to the database vendor itself like mysql_real_escape_string() for MySQL. Functions that will be removed in future versions and have been deprecated in PHP 5.3 will produce a warning if used.[22]

Many high-profile open-source projects ceased to support PHP 4 in new code as of February 5, 2008, because of the GoPHP5 initiative,[23] provided by a consortium of PHP developers promoting the transition from PHP 4 to PHP 5.[24][25]

PHP interpreters are available on most existing 32-bit and 64-bit operating systems, either by building them from the PHP source code, or by using pre-built binaries.[26] For the PHP versions 5.3 and 5.4, the only available Microsoft Windows binary distributions were 32-bit x86 builds,[27][28] requiring Windows 32-bit compatibility mode while using Internet Information Services (IIS) on a 64-bit Windows platform. PHP version 5.5 made the 64-bit x86-64 builds available for Microsoft Windows.[29]

Release history[edit]

Key
Color Meaning Development
Red Old release No development
Yellow Stable release Security fixes
Green Stable release Bug and security fixes
Blue Future release New features
Version Release date Supported until[30] Notes
1.0 1995-06-08 Officially called "Personal Home Page Tools (PHP Tools)". This is the first use of the name "PHP".[3]
2.0 1997-11-01
3.0 1998-06-06 2000-10-20 Development moves from one person to multiple developers. Zeev Suraski and Andi Gutmans rewrite the base for this version.[3]
4.0 2000-05-22 2001-01-23 Added more advanced two-stage parse/execute tag-parsing system called the Zend engine.[31]
4.1 2001-12-10 2002-03-12 Introduced 'superglobals' ($_GET, $_POST, $_SESSION, etc.)[31]
4.2 2002-04-22 2002-09-06 Disabled register_globals by default. Data received over the network is not inserted directly into the global namespace anymore, closing possible security holes in applications.[31]
4.3 2002-12-27 2005-03-31 Introduced the command-line interface (CLI), to supplement the CGI.[31][32]
4.4 2005-07-11 2008-08-07 Fixed a memory corruption bug, which required breaking binary compatibility with extensions compiled against PHP version 4.3.x.[33]
5.0 2004-07-13 2005-09-05 Zend Engine II with a new object model.[34]
5.1 2005-11-24 2006-08-24 Performance improvements with introduction of compiler variables in re-engineered PHP Engine.[34] Added PHP Data Objects (PDO) as a consistent interface for accessing databases.[35]
5.2 2006-11-02 2011-01-06 Enabled the filter extension by default. Native JSON support.[34]
5.3 2009-06-30 2014-07[36] Namespace support; late static bindings, Jump label (limited goto), Native closures, Native PHP archives (phar), garbage collection for circular references, improved Windows support, sqlite3, mysqlnd as a replacement for libmysql as underlying library for the extensions that work with MySQL, fileinfo as a replacement for mime_magic for better MIME support, the Internationalization extension, and deprecation of ereg extension.
5.4 2012-03-01 3 years after release[37] Trait support, short array syntax support. Removed items: register_globals, safe_mode, allow_call_time_pass_reference, session_register(), session_unregister() and session_is_registered(). Built-in web server.[38] Several improvements to existing features, performance and reduced memory requirements.
5.5 2013-06-20 3 years after release[37] Support for generators, finally blocks for exceptions handling, Zend Optimizer+ bundled in official distribution.[39]
5.6 No date set No date set Internal operator overloading, GMP changes[40]
6 No date set No date set Although internally commenced in 2007, the development of PHP 6 has been delayed because in 2010 the developers decided to cancel their implementation of instance Unicode and introduce UTF-8 support throughout the entire framework.[41] Most other updates that were intended for PHP 6 were added to PHP 5.3.0 (namespace support, late static bindings, lambda functions, closures, goto) and 5.4.0 (traits, closure rebinding) instead.

Beginning on June 28, 2011, the PHP Group began following a timeline for when new versions of PHP will be released.[37] Under this timeline, at least one release should occur every month. Once per year, a minor release should occur which can include new features. Every minor release should at least have 2 years of security and bug fixes, followed by at least 1 year of only security fixes, for a total of a 3 year release process for every minor release. No new features (unless small and self-contained) will be introduced into a minor release during the 3-year release process.

Syntax[edit]

The following Hello world program is written in PHP code embedded in an HTML document:

<!DOCTYPE html>
<meta charset="utf-8">
<title>PHP Test</title>
<?php
 echo 'Hello World';
?>

However as PHP does not need to be embedded in HTML, or used with a web server, the simplest version of a Hello World program can be written like this:

<?= 'Hello world';

The PHP interpreter only executes PHP code within its delimiters. Anything outside its delimiters is not processed by PHP (although non-PHP text is still subject to control structures described in PHP code). The most common delimiters are <?php to open and ?> to close PHP sections. <script language="php"> and </script> delimiters are also available, as are the shortened forms <? or <?= (which is used to echo back a string or variable) and ?> as well as ASP-style short forms <% or <%= and %>. While short delimiters are used, they make script files less portable as support for them can be disabled in the PHP configuration, and they are therefore discouraged.[42] The purpose of all these delimiters is to separate PHP code from non-PHP code, including HTML.[43]

The first form of delimiters, <?php and ?>, in XHTML and other XML documents, creates correctly formed XML "processing instructions".[44] This means that the resulting mixture of PHP code and other markup in the server-side file is itself well-formed XML.

Variables are prefixed with a dollar symbol, and a type does not need to be specified in advance. Unlike function and class names, variable names are case sensitive. Both double-quoted ("") and heredoc strings provide the ability to interpolate a variable's value into the string.[45] PHP treats newlines as whitespace in the manner of a free-form language (except when inside string quotes), and statements are terminated by a semicolon.[46] PHP has three types of comment syntax: /* */ marks block and inline comments; // as well as # are used for one-line comments.[47] The echo statement is one of several facilities PHP provides to output text, e.g., to a web browser.

In terms of keywords and language syntax, PHP is similar to most high level languages that follow the C style syntax. if conditions, for and while loops, and function returns are similar in syntax to languages such as C, C++, C#, Java and Perl.

Data types[edit]

PHP stores whole numbers in a platform-dependent range, either a 64-bit or 32-bit signed integer equivalent to the C-language long type. Unsigned integers are converted to signed values in certain situations; this behavior is different from other programming languages.[48] Integer variables can be assigned using decimal (positive and negative), octal, hexadecimal, and binary notations.

Floating point numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of scientific notation.[49] PHP has a native Boolean type that is similar to the native Boolean types in Java and C++. Using the Boolean type conversion rules, non-zero values are interpreted as true and zero as false, as in Perl and C++.[49]

The null data type represents a variable that has no value; NULL is the only allowed value for this data type.[49]

Variables of the "resource" type represent references to resources from external sources. These are typically created by functions from a particular extension, and can only be processed by functions from the same extension; examples include file, image, and database resources.[49]

Arrays can contain elements of any type that PHP can handle, including resources, objects, and even other arrays. Order is preserved in lists of values and in hashes with both keys and values, and the two can be intermingled.[49] PHP also supports strings, which can be used with single quotes, double quotes, nowdoc or heredoc syntax.[50]

The Standard PHP Library (SPL) attempts to solve standard problems and implements efficient data access interfaces and classes.[51]

Functions[edit]

PHP has hundreds of base functions and thousands more via extensions. These functions are well documented on the PHP site; however, the built-in library has a wide variety of naming conventions and inconsistencies.[52] One cause of the inconsistent functions naming is that early versions of PHP internally used string length as a hash function for function names, thus using inconsistent names made it easier to get a more uniform distribution of hash values.[53] PHP currently has no functions for thread programming, although it does support multi process programming on POSIX systems.[54]

Additional functions can be defined by a developer:

function myFunction()  // defines a function, this one is named "myFunction"
{
    return 'John Doe'; // returns the value 'John Doe'
}
 
echo 'My name is ' . myFunction() . '!'; //outputs the text concatenated with the return value of myFunction.
 
// myFunction() is called as the result of this syntax.
// The result of the output will be 'My name is John Doe!'

In PHP 5.2 and earlier, functions are not first-class functions and can only be referenced by their name, directly or dynamically by a variable containing the name of the function.[55] User-defined functions can be created at any time without being prototyped.[55] Functions can be defined inside code blocks, permitting a run-time decision as to whether or not a function should be defined. Function calls must use parentheses, with the exception of zero argument class constructor functions called with the PHP new operator, where parentheses are optional.

PHP supports quasi-anonymous functions through the create_function() function, although they are not true anonymous functions because anonymous functions are nameless, but functions can only be referenced by name, or indirectly through a variable $function_name();, in PHP.[55]

PHP gained support for closures in PHP 5.3. That way, true anonymous functions are supported using syntax from the following example:

function getAdder($x)
{
    return function($y) use ($x)
           {
               return $x + $y;
           };
}
 
$adder = getAdder(8);
echo $adder(2); // prints "10"

Here, the getAdder() function creates a closure using passed argument $x (the keyword use imports a variable from the lexical context), which takes an additional argument $y, and returns the created closure to the caller. Such a function is a first-class object, meaning that it can be stored in a variable, passed as a parameter to other functions, etc. For more details, see the Lambda functions and closures RFC.

The goto flow control statement is used as in the following example:

function lock()
{
    $file = fopen('file.txt', 'r+');
 
retry:
    if (!flock($file, LOCK_EX | LOCK_NB))
        goto retry;
 
    fwrite($file, 'Success!');
    fclose($file);
}

When flock() is called, PHP opens a file and tries to lock it. The target label retry: defines the point to which execution should return if flock() is unsuccessful and goto retry; is called. The goto statement is restricted and requires that the target label be in the same file and context.

The goto statement has been supported since PHP 5.3.

Objects[edit]

Basic object-oriented programming functionality was added in PHP 3 and improved in PHP 4.[3] Object handling was completely rewritten for PHP 5, expanding the feature set and enhancing performance.[56] In previous versions of PHP, objects were handled like value types.[56] The drawback of this method was that the whole object was copied when a variable was assigned or passed as a parameter to a method. In the new approach, objects are referenced by handle, and not by value.

PHP 5 introduced private and protected member variables and methods, along with abstract classes, final classes, abstract methods, and final methods. It also introduced a standard way of declaring constructors and destructors, similar to that of other object-oriented languages such as C++, and a standard exception handling model. Furthermore, PHP 5 added interfaces and allowed for multiple interfaces to be implemented. There are special interfaces that allow objects to interact with the runtime system. Objects implementing ArrayAccess can be used with array syntax and objects implementing Iterator or IteratorAggregate can be used with the foreach language construct. There is no virtual table feature in the engine, so static variables are bound with a name instead of a reference at compile time.[57]

If the developer creates a copy of an object using the reserved word clone, the Zend engine will check if a __clone() method has been defined or not. If not, it will call a default __clone() which will copy the object's properties. If a __clone() method is defined, then it will be responsible for setting the necessary properties in the created object. For convenience, the engine will supply a function that imports the properties of the source object, so that the programmer can start with a by-value replica of the source object and only override properties that need to be changed.[58]

The following is a basic example of object-oriented programming in PHP:

class Person
{
    public $firstName;
    public $lastName;
 
    public function __construct($firstName, $lastName = '') { // optional second argument
        $this->firstName = $firstName;
        $this->lastName = $lastName;
    }
 
    public function greet() {
        return 'Hello, my name is ' . $this->firstName . ' ' . $this->lastName . '.';
    }
 
    public static function staticGreet($firstName, $lastName) {
        return 'Hello, my name is ' . $firstName . ' ' . $lastName . '.';
    }
}
 
$he    = new Person('John', 'Smith');
$she   = new Person('Sally', 'Davis');
$other = new Person('iAmine');
 
echo $he->greet(); // prints "Hello, my name is John Smith."
echo '<br />';
echo $she->greet(); // prints "Hello, my name is Sally Davis."
echo '<br />';
echo $other->greet(); // prints "Hello, my name is iAmine ."
echo '<br />';
echo Person::staticGreet('Jane', 'Doe'); // prints "Hello, my name is Jane Doe."

The visibility of PHP properties and methods is defined using the keywords public, private, and protected. The default is public, if only var is used; var is a synonym for public. Items declared public can be accessed everywhere. protected limits access to inherited classes (and to the class that defines the item). private limits visibility only to the class that defines the item.[59] Objects of the same type have access to each other's private and protected members even though they are not the same instance. PHP's member visibility features have sometimes been described as "highly useful."[60] However, they have also sometimes been described as "at best irrelevant and at worst positively harmful."[61]

Implementations[edit]

The PHP language was originally implemented as an interpreter, and this is still the most popular implementation. Several compilers have been developed which decouple the PHP language from the interpreter. Advantages of compilation include better execution speed, static analysis, and improved interoperability with code written in other languages.[62]

PHP compilers of note include Phalanger, which compiles PHP into Common Intermediate Language (CIL) bytecode, and HipHop, developed at Facebook and now available as open source, which transforms the PHP Script into C++, then compiles it, reducing server load up to 50% .

PHP source code is compiled on-the-fly to an internal format that can be executed by the PHP engine.[63][64] In order to speed up execution time and not have to compile the PHP source code every time the web page is accessed, PHP scripts can also be deployed in executable format using a PHP compiler.

Code optimizers aim to enhance the performance of the compiled code by reducing its size, merging redundant instructions and making other changes that can reduce the execution time. With PHP, there are often opportunities for code optimization.[65] An example of a code optimizer is the eAccelerator PHP extension.

Another approach for reducing compilation overhead for PHP servers is using an opcode cache. Opcode caches work by caching the compiled form of a PHP script (opcodes) in shared memory to avoid the overhead of parsing and compiling the code every time the script runs. An opcode cache, Zend Opcache, is built into PHP since version 5.5.[66] Another example of a widely used opcode cache is the Alternative PHP Cache (APC), which is available as a PECL extension.[67]

Licensing[edit]

PHP is free software released under the PHP License, which stipulates that:[68]

Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo".

This restriction on use of the name PHP makes it incompatible with the GNU General Public License (GPL).[69]

Development and community[edit]

PHP includes free and open source libraries with the core build. PHP is a fundamentally Internet-aware system with modules built in for accessing File Transfer Protocol (FTP) servers, many database servers, embedded SQL libraries such as embedded PostgreSQL, MySQL, Microsoft SQL Server and SQLite, LDAP servers, and others. Many functions familiar to C programmers such as those in the stdio family are available in the standard PHP build.[70]

PHP allows developers to write extensions in C to add functionality to the PHP language. These can then be compiled into PHP or loaded dynamically at runtime. Extensions have been written to add support for the Windows API, process management on Unix-like operating systems, multibyte strings (Unicode), cURL, and several popular compression formats. Other features include integration with IRC, dynamic generation of images and Adobe Flash content, and even speech synthesis. The language's core functions such as those dealing with strings and arrays are also implemented as an extension.[71] The PHP Extension Community Library (PECL) project is a repository for extensions to the PHP language.[72] PDO - (PHP Data Objects) is an interface for accessing databases.[73][74][75][76][77][78][79]

Zend Technologies provides a certification exam for programmers to become certified PHP developers.

Installation and configuration[edit]

There are two primary ways for adding support for PHP to a web server. For many web servers PHP has a direct module interface called Server Application Programming Interface (SAPI). These web servers include Apache HTTP Server, Microsoft IIS, Netscape (now defunct) and iPlanet. Some other web servers support the Internet Server Application Programming Interface (ISAPI), Microsoft's web server module interface (OmniHTTPd for example). If PHP has no module support for a web server, it can always be used as a Common Gateway Interface (CGI) or FastCGI processor. That way, web server is configured to use the CGI executable of PHP to process all requests to PHP files.[80]

PHP-FPM (FastCGI Process Manager) is an alternative FastCGI implementation for PHP, bundled with the official PHP distribution since version 5.3.3.[81] When compared to the older FastCGI implementation, it contains some additional features, mostly useful for heavily loaded web servers.[82]

When using PHP for command-line scripting, a PHP command-line interface (CLI) executable is needed. PHP supports a CLI SAPI as of PHP 4.3.0.[83] The main focus of this SAPI is developing shell applications using PHP. There are quite a few differences between the CLI SAPI and other SAPIs, although they do share many of the same behaviors.[84]

PHP can also be used for writing desktop graphical user interface (GUI) applications, by using the PHP-GTK extension. PHP-GTK is not included in the official PHP distribution,[80] and as an extension it can be used only with PHP versions 5.1.0 and newer. The most common way of installing PHP-GTK is compiling it from the source code.[85]

When PHP is installed and used in cloud environments, software development kits (SDKs) are provided for using cloud-specific features. For example:

Numerous configuration options are supported, affecting both core PHP features and extensions.[86][87] Configuration file php.ini is searched for in different locations, depending on the way PHP is used.[88] Configuration file is split into various sections,[89] while some of the configuration options can be also set within the web server configuration.[90]

Use[edit]

Broad overview of the LAMP software bundle, displayed here together with Squid. A high-performance and high-availability web server solution providing security in a hostile environment.

PHP is a general-purpose scripting language that is especially suited to server-side web development where PHP generally runs on a web server. Any PHP code in a requested file is executed by the PHP runtime, usually to create dynamic web page content or dynamic images used on websites or elsewhere.[91] It can also be used for command-line scripting and client-side graphical user interface (GUI) applications. PHP can be deployed on most web servers, many operating systems and platforms, and can be used with many relational database management systems (RDBMS). Most web hosting providers support PHP for use by their clients. It is available free of charge, and the PHP Group provides the complete source code for users to build, customize and extend for their own use.[7]

PHP acts primarily as a filter,[92] taking input from a file or stream containing text and/or PHP instructions and outputting another stream of data; most commonly the output will be HTML, although it could be JSON, XML or image data, among others useful in web development. Since PHP 4, the PHP parser compiles input to produce bytecode for processing by the Zend Engine, giving improved performance over its interpreter predecessor.[93]

Originally designed to create dynamic web pages, PHP now focuses mainly on server-side scripting,[94] and it is similar to other server-side scripting languages that provide dynamic content from a web server to a client, such as Microsoft's ASP.NET, Sun Microsystems' JavaServer Pages,[95] and mod_perl. PHP has also attracted the development of many software frameworks that provide building blocks and a design structure to promote rapid application development (RAD). Some of these include PRADO, CakePHP, Symfony, CodeIgniter, Laravel, Yii Framework, and Zend Framework, offering features similar to other web application frameworks.

The LAMP architecture has become popular in the web industry as a way of deploying web applications. PHP is commonly used as the P in this bundle alongside Linux, Apache and MySQL, although the P may also refer to Python, Perl, or some mix of the three. Similar packages are also available for Windows and OS X, then called WAMP and MAMP, with the first letter standing for the respective operating system. Although both PHP and Apache are provided as part of the Mac OS X base install, users of these packages seek a simpler installation mechanism that can be more easily kept up to date.

As of April 2007, over 20 million Internet domains had web services hosted on servers with PHP installed and mod_php was recorded as the most popular Apache HTTP Server module.[96] PHP is used as the server-side programming language on 75% of all websites whose server-side programming language is known,[97] and PHP is the most-used open source software within enterprises.[98] Web content management systems written in PHP include MediaWiki,[99] Joomla, eZ Publish, SilverStripe,[100] WordPress,[101] Drupal,[102] Moodle,[103] the user-facing portion of Facebook,[104] and Digg.[105]

For specific and more advanced usage scenarios, PHP offers a well defined and documented way for writing custom extensions in C or C++.[106][107][108][109][110][111][112] Besides extending the language itself in form of additional libraries, extensions are providing a way for improving execution speed where it is critical and there is room for improvements by using a true compiled language.[113][114] PHP also offers well defined ways for embedding itself into other software projects. That way PHP can be easily used as an internal scripting language for another project, also providing tight interfacing with the project's specific internal data structures.[115]

Security[edit]

About 30% of all vulnerabilities listed on the National Vulnerability Database are linked to PHP.[116] These vulnerabilities are caused mostly by not following best-practice programming rules. Technical security flaws of the language itself or of its core libraries are not frequent (23 in 2008, about 1% of the total).[117][118] Recognizing that programmers make mistakes, some languages include taint checking to automatically detect the lack of input validation which induces many issues. Such a feature is being developed for PHP,[119] but its inclusion in a release has been rejected several times in the past.[120][121]

There are advanced protection patches such as Suhosin and Hardening-Patch, especially designed for web hosting environments.[122]

Some of the vulnerabilities are induced by improper PHP's runtime configuration. For example, failing to disable PHP execution for the directory where uploaded images are stored, can result in execution of malicious PHP code embedded within uploaded images.[123][124][125] Another well known example is leaving enabled the dynamic loading of PHP extensions, in a shared hosting environment.[126][127]

Criticism[edit]

One criticism of PHP is that it was not originally designed, but instead it was developed organically.[12]

Security vulnerabilities can be created by certain language features, induced by some of the historically default values for their associated runtime settings. Among these settings, magic_quotes_gpc and register_globals[128] are the best known. The latter made any URL parameters become variables, which—while making programming easier—could create serious security vulnerabilities, as it allowed an attacker to set the value of any variable and interfere with the execution of a PHP script. Support for "magic quotes" and "register globals" has been deprecated as of PHP 5.3.0, and removed as of PHP 5.4.0.[128][129]

Inconsistent naming of functions comes from early versions of PHP, where string length was internally used as a hash function for function names.[53]

PHP also lacks features such as native Unicode support and multithreading at the core level,[130][131][132] though using threads is made possible by the pthreads PECL extension.[133]

See also[edit]

References[edit]

  1. ^ a b Lerdorf, Rasmus (2007-04-26). "PHP on Hormones – history of PHP presentation by Rasmus Lerdorf given at the MySQL Conference in Santa Clara, California". The Conversations Network. Retrieved 2009-12-11. 
  2. ^ "PHP Usage Stats". Retrieved 2013-04-01. 
  3. ^ a b c d e f g h i j "History of PHP and related projects". The PHP Group. Retrieved 2008-02-25. 
  4. ^ "History of PHP". php.net. 
  5. ^ PHP Manual: Preface, www.php.net
  6. ^ "Introduction: What can PHP do?". PHP Manual. Retrieved 2009-03-05. 
  7. ^ a b "Embedding PHP in HTML". O'Reilly. 2001-05-03. Retrieved 2008-02-25. 
  8. ^ Lerdorf, Rasmus (2007-04-26). "PHP on Hormones" (mp3). The Conversations Network. Retrieved 2009-06-22. 
  9. ^ Lerdorf, Rasmus (2007). "Slide 3". slides for 'PHP on Hormones' talk. The PHP Group. Retrieved 2009-06-22. 
  10. ^ Lerdorf, Rasmus (June 8, 1995). "Announce: Personal Home Page Tools (PHP Tools)". Retrieved 7 June 2011. 
  11. ^ Lerdorf, Rasmus (1995-06-08). "Announce: Personal Home Page Tools (PHP Tools)". comp.infosystems.www.authoring.cgi. Web link. Retrieved 2006-09-17.
  12. ^ a b "Rasmus Lerdorf, Senior Technical Yahoo: PHP, Behind the Mic". 2003-11-19. Archived from the original on 2013-07-28. , cited at Felipe Ribeiro (Aug 7, 2012). "This Is Not Another "PHP Sucks" Article". 
  13. ^ "Zend Engine version 2.0: Feature Overview and Design". Zend Technologies Ltd. Retrieved 2006-09-17. 
  14. ^ a b "php.net 2007 news archive". The PHP Group. 2007-07-13. Retrieved 2008-02-22. 
  15. ^ Kerner, Sean Michael (2008-02-01). "PHP 4 is Dead—Long Live PHP 5". InternetNews. Retrieved 2008-03-16. 
  16. ^ Trachtenberg, Adam (2004-07-15). "Why PHP 5 Rocks!". O'Reilly. Retrieved 2008-02-22. 
  17. ^ "Late Static Binding in PHP". Digital Sandwich. 2006-02-23. Retrieved 2008-03-25. 
  18. ^ "Static Keyword". The PHP Group. Retrieved 2008-03-25. 
  19. ^ "PHP 6". The PHP project. Retrieved 2010-03-27. 
  20. ^ "Using Register Globals". PHP. Retrieved 2008-04-04. 
  21. ^ "Prepare for PHP 6". CorePHP. 2005-11-23. Retrieved 2008-03-24. 
  22. ^ "PHP 5.3 migration guide". The PHP project. Retrieved 2009-07-03. 
  23. ^ "GoPHP5". 
  24. ^ GoPHP5. "PHP projects join forces to Go PHP 5" (PDF). GoPHP5 Press Release. Retrieved 2008-02-23. 
  25. ^ "GoPHP5". GoPHP5. Retrieved 2008-02-22. 
  26. ^ "PHP Installation and Configuration". php.net. Retrieved 2013-10-29. 
  27. ^ "PHP for Windows: Binaries and sources releases (5.3)". php.net. Retrieved 2013-10-29. 
  28. ^ "PHP for Windows: Binaries and sources releases (5.4)". php.net. Retrieved 2013-10-29. 
  29. ^ "PHP for Windows: Binaries and sources releases (5.5)". php.net. Retrieved 2013-10-29. 
  30. ^ "Unsupported Branches". PHP. Retrieved 2013-08-16. 
  31. ^ a b c d "PHP: PHP 4 ChangeLog". The PHP Group. 2008-01-03. Retrieved 2008-02-22. 
  32. ^ "Using PHP from the command line". PHP Manual. The PHP Group. Retrieved 2009-09-11. 
  33. ^ "PHP 4.4.0 Release Announcement". PHP Mannual. The PHP Group. Retrieved 2013-11-24. 
  34. ^ a b c "PHP: PHP 5 ChangeLog". The PHP Group. 2007-11-08. Retrieved 2008-02-22. 
  35. ^ "PHP manual: PDO". The PHP Group. 2011-11-15. Retrieved 2011-11-15. 
  36. ^ "News Archive - 2013". PHP. Retrieved 2013-08-16. 
  37. ^ a b c "PHP: Release Process". 2011-06-20. Retrieved 2013-10-06. 
  38. ^ "Built-in web server". Retrieved March 26, 2012. 
  39. ^ "PHP 5.5.0 changes". Retrieved 2013-06-20. 
  40. ^ "PHP: rfc:operator_overloading_gmp [PHP Wiki]". Wiki.php.net. Retrieved 2013-08-16. 
  41. ^ "PHP 6: Features, Release Date, Hosting and Download". Retrieved May 6, 2011. 
  42. ^ "PHP: Basic syntax". The PHP Group. Retrieved 2008-02-22. 
  43. ^ "Your first PHP-enabled page". The PHP Group. Retrieved 2008-02-25. 
  44. ^ Bray, Tim; et al (26 November 2008). "Processing Instructions". Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C. Retrieved 2009-06-18. 
  45. ^ "Variables". The PHP Group. Retrieved 2008-03-16. 
  46. ^ "Instruction separation". The PHP Group. Retrieved 2008-03-16. 
  47. ^ "Comments". The PHP Group. Retrieved 2008-03-16. 
  48. ^ "Integers in PHP, running with scissors, and portability". MySQL Performance Blog. March 27, 2007. Retrieved 2007-03-28. 
  49. ^ a b c d e "Types". The PHP Group. Retrieved 2008-03-16. 
  50. ^ "Strings". The PHP Group. Retrieved 2008-03-21. 
  51. ^ "SPL — StandardPHPLibrary". PHP.net. March 16, 2009. Retrieved 2009-03-16. 
  52. ^ "Problems with PHP". Retrieved 20 December 2010. 
  53. ^ a b Rasmus Lerdorf (Dec 16, 2013). "Re: Flexible function naming". php.internals. Web link. Retrieved December 26, 2013.
  54. ^ "PHP.NET: Process Control". Retrieved 2009-08-06. 
  55. ^ a b c "Functions". The PHP Group. Retrieved 2008-03-16. 
  56. ^ a b "PHP 5 Object References". mjtsai. Retrieved 2008-03-16. 
  57. ^ "Classes and Objects (PHP 5)". The PHP Group. Retrieved 2008-03-16. 
  58. ^ "Object cloning". The PHP Group. Retrieved 2008-03-16. 
  59. ^ "Visibility". PHP Manual. Theserverpages.com. 2005-05-19. Retrieved 2010-08-26. 
  60. ^ Gervasio, Alejandro. "More on Private Methods with PHP 5 Member Visibility". devshed.com. Retrieved 24 November 2010. 
  61. ^ "Visibility in PHP: Public, Private and Protected". Aperiplus.sourceforge.net. Retrieved 2010-08-26. 
  62. ^ Favre-Félix, Nicolas (2010-02-16). "A review of PHP compilers and their outputs". Technow.owlient.eu. Retrieved 2010-05-20. [dead link]
  63. ^ "How do computer languages work?". Retrieved 2009-11-04. 
  64. ^ (Gilmore 2006, p. 43)
  65. ^ "PHP Accelerator 1.2 (page 3, Code Optimisation)" (PDF). Nick Lindridge. Retrieved 2008-03-28. 
  66. ^ "[VOTE] Integrating Zend Optimizer+ into the PHP distribution". PHP.net. Retrieved 2013-03-08. 
  67. ^ "Alternative PHP Cache". PHP.net. Retrieved 2013-09-21. 
  68. ^ "The PHP License, version 3.01". Retrieved 2010-05-20. 
  69. ^ "GPL-Incompatible, Free Software Licenses". Various Licenses and Comments about Them. Free Software Foundation. Retrieved 2011-01-03. 
  70. ^ "PHP Function List". The PHP Group. Retrieved 2008-02-25. 
  71. ^ Cross Reference: /PHP_5_4/ext/standard/
  72. ^ "Developing Custom PHP Extensions". devnewz. 2002-09-09. Archived from the original on 2008-02-18. Retrieved 2008-02-25. 
  73. ^ "Introduction - Manual". PHP. 2013-06-07. Retrieved 2013-06-13. 
  74. ^ O'Reilly Networks - ONLamp
  75. ^ IBM DeveloperWorks
  76. ^ "Five common PHP database problems". 128.ibm.com. 2006-08-01. Retrieved 2013-06-13. 
  77. ^ IBM Redbooks
  78. ^ php|architect
  79. ^ Info
  80. ^ a b "General Installation Considerations". PHP.net. Retrieved 2013-09-22. 
  81. ^ "News Archive: PHP 5.3.3 Released!". PHP.net. 2010-07-22. 
  82. ^ "FastCGI Process Manager (FPM)". PHP.net. Retrieved 2013-09-22. 
  83. ^ "Command line usage: Introduction". PHP.net. Retrieved 2013-09-22. 
  84. ^ "Command line usage: Differences to other SAPIs". PHP.net. Retrieved 2013-09-22. 
  85. ^ "Installing PHP-GTK 2". PHP.net. Retrieved 2013-09-22. 
  86. ^ "Runtime configuration: Table of contents". PHP.net. Retrieved 2013-09-22. 
  87. ^ "php.ini directives: List of php.ini directives". PHP.net. Retrieved 2013-09-22. 
  88. ^ "Runtime configuration: The configuration file". PHP.net. Retrieved 2013-09-22. 
  89. ^ "php.ini directives: List of php.ini sections". PHP.net. Retrieved 2013-09-22. 
  90. ^ "Runtime configuration: Where a configuration setting may be set". PHP.net. Retrieved 2013-09-22. 
  91. ^ "PHP Manual Image Processing and GD;". php.net. Retrieved 2011-04-09. 
  92. ^ Archived June 11, 2008 at the Wayback Machine[not in citation given]
  93. ^ "PHP and MySQL". University of Alabama. Archived from the original on 2008-02-28. Retrieved 2008-02-25. 
  94. ^ "PHP Server-Side Scripting Language". Indiana University. 2007-04-04. Retrieved 2008-02-25. 
  95. ^ "JavaServer Pages Technology — JavaServer Pages Comparing Methods for Server-Side Dynamic Content White Paper". Sun Microsystems. Retrieved 2008-02-25. 
  96. ^ "PHP: PHP Usage Stats". SecuritySpace. 2007-04-01. Retrieved 2008-02-24. 
  97. ^ "Usage of server-side programming languages for websites". W3Techs. 2010-10-29. Retrieved 2010-10-29. 
  98. ^ "PHP and Perl crashing the enterprise party". 
  99. ^ "Manual:Installation requirements#PHP". MediaWiki. 2010-01-25. Retrieved 2010-02-26. "PHP is the programming language in which MediaWiki is written [...]" 
  100. ^ "System requirements of SilverStripe". Retrieved 2012-03-05. "SilverStripe requires PHP 5.2+" 
  101. ^ "About WordPress". Retrieved 2010-02-26. "WordPress was [...] built on PHP" 
  102. ^ "PHP and Drupal". Drupal.org. Retrieved 2010-06-13. 
  103. ^ "About". Moodle.org. Retrieved 2009-12-20. 
  104. ^ "PHP and Facebook | Facebook". Blog.facebook.com. Retrieved 2009-07-29. 
  105. ^ "PHP and Digg". O'Reilly. Retrieved 2010-06-13. 
  106. ^ "PHP at the core: Extension structure". PHP.net. Retrieved 2013-09-22. 
  107. ^ "PHP at the core: The "counter" Extension - A Continuing Example". PHP.net. Retrieved 2013-09-22. 
  108. ^ "Extension Writing Part I: Introduction to PHP and Zend". Zend Technologies. 2005-03-01. Retrieved 2013-09-22. 
  109. ^ "Extension Writing Part II: Parameters, Arrays, and ZVALs". Zend Technologies. 2005-06-06. Retrieved 2013-09-22. 
  110. ^ "Extension Writing Part II: Parameters, Arrays, and ZVALs [continued]". Zend Technologies. 2005-06-06. Retrieved 2013-09-22. 
  111. ^ "Extension Writing Part III: Resources". Zend Technologies. 2006-05-12. Retrieved 2013-09-22. 
  112. ^ "Wrapping C++ Classes in a PHP Extension". Zend Technologies. 2009-04-22. Retrieved 2013-09-22. 
  113. ^ "Extending PHP with C++?". Stack Overflow. Retrieved 2013-09-22. 
  114. ^ "How can I use C++ code to interact with PHP?". Stack Overflow. Retrieved 2013-09-22. 
  115. ^ Golemon, Sara (2006). Extending and Embedding PHP. ISBN 978-0-672-32704-9. 
  116. ^ "PHP-related vulnerabilities on the National Vulnerability Database". Retrieved 2012-07-05. 
  117. ^ "Security and... Driving? (and Hiring)". Sean Coates. Retrieved 2009-07-29. 
  118. ^ Computerworlduk.com, Interview: Ivo Jansch, February 26, 2008
  119. ^ "PHP Taint Mode RFC". 
  120. ^ "Developer Meeting Notes, Nov. 2005". 
  121. ^ "Taint mode decision, November 2007". 
  122. ^ "Hardened-PHP Project". 2008-08-15. 
  123. ^ "PHP Security Exploit With GIF Images". 2007-06-22. Retrieved 2013-09-22. 
  124. ^ "PHP security exploit with GIF images". PHP Classes blog. 2007-06-20. Retrieved 2013-09-22. 
  125. ^ "Passing Malicious PHP Through getimagesize()". 2007-06-04. Retrieved 2013-09-22. 
  126. ^ "PHP function reference: dl()". PHP.net. Retrieved 2013-09-22. 
  127. ^ "My host won't fix their Trojan". WebHosting Talk. Retrieved 2013-09-22. 
  128. ^ a b "Security: Using Register Globals". PHP Manual. PHP.net. Retrieved 2013-09-22. 
  129. ^ "Magic Quotes". PHP Manual. PHP.net. Retrieved 2014-01-17. 
  130. ^ "Types: Strings". PHP Manual. PHP.net. Retrieved 2013-09-22. 
  131. ^ "Details of the String Type". PHP Manual. PHP.net. Retrieved 2013-09-22. 
  132. ^ "Bug Request #46919: Multi threading". PHP.net. Retrieved 2013-09-22. 
  133. ^ "pthreads: Introduction". PHP Manual. PHP.net. Retrieved 2013-09-22. 

External links[edit]