On Thu, Jun 26, 2008 at 9:56 AM, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Ken Guest (ken at linux.ie):
>>> So there are lots of things to say about it - namespaces and late
>> static binding in php5.3, training people to write more secure code
>> (you can write insecure code in pretty much any language - it's all
>> about best practices) and why horrible settings/facilities such as
>> register_globals, safe_mode and magic_quotes are fully removed from
>> As someone who hasn't yet played with PHP6, I'd value your comments:
>> Is there anything new from the PHP6 world that I should add to "PHP" on
>http://linuxmafia.com/kb/Security/ ? That's my page of recommended
> security-sensitive settings to check in /etc/php?/apache/php.ini,
> believed to be fairly comprehensive through PHP5.
* all aspects of magic_quotes
* register_long_arrays (such as HTTP_*_VARS - time to get on the
bandwagon and use $_GET & $_POST)
have been removed. Attempting to use these will cause a new
E_CORE_ERROR to be thrown.
Similarly session_register(), session_unregister() and
session_is_registered() have been removed in php 6.
The dl() function for dynamically loading a module/extension will only
be enabled if it has been registered
explicitly. I think this change may have been implemented to prevent
work-arounds for loading modules that
were explicitly disabled in the php.ini file.
Some, perhaps all, patches from the hardened-php project (
http://hardened-php.org/ ) will be applied to php core.
The soap extension will have more security options.
I think that's all of the security related aspects of changes in PHP6
- David Coallier would also be able to advise regarding this.
for reference, I gleaned some of this information from:
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!