The Future of PHP 6

Posted on December 6, 2005
Filed Under /dev/null/ | 56 views |

This is good news for security in PHP: according to these meeting notes from a PHP Developers meeting held recently there will be no register_globals in PHP 6:

We shortly discussed how we want to attend users on the disappearance of this functionality. We decided that if we find the setting during the startup of PHP we raise an E_CORE_ERROR which will prevent the server from starting with a message that points to the documentation. The documentation should explain why this functionality was removed, and some introduction on safe programming.

The current documentation on register_globals:

When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don’t know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this.

Other items of interest:

Are they really considering adding a GOTO to PHP? How strange:

The name “goto” is misleading, and often associated with BAD THINGS(tm). Because our proposed solution is not a real GOTO construct, we will instead reuse the “break” keyword, and extend it with a static label.

Personally I come from the land of GOTO Bad! if only because in such an implementation as they’re proposing, having multiple breaks jump to the same label tends to make debugging that much harder. A goto is effectively a hard break (pardon the pun) in the execution path of the code. It may save some code bulk but it generally makes debugging a bitch.

Namespaces were considered but not promised. Personally I like the idea but the proposed Perl-like syntax always looks awkward to me. I much prefer a Java-like syntax. But that’s being really pedantic. Namespaces would be good.

Currently you can call methods both static and dynamic, whether they are marked as static or not

Imagine that, I learn something new every day. I had no idea that we could do that and I like that in PHP 6 we won’t be able to. The tightening up of the behaviours and strictness of the language is a welcome advance.

We kill “< %” but keep “<?”.
Jani will prepare a patch that disallows mixing different open/close tags.
We will not add “<?php =”.

Good news also. Since the first day using ASP I’ve hated the <%= getSomething() %> convention for writing out in place. Seeing PHP clean up its block declarations and not adopt an ASP-like syntax makes me happy. echo is easy enough to type.

I’m still using PHP 4.3.11 and already looking forward to 6!

Comments

Leave a Reply