Re: [PHP] Re: PHP 4.1.0 released
On 12/11/2001 4:22 PM this was written: > Yeah, and waiting till Zend is bringing out a working version of Optimizer > for > that PHP version ! :) It's out Version 1.2.0 -- Thomas Deliduka IT Manager - New Eve Media The Solution To Your Internet Angst http://www.neweve.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: PHP 4.1.0 released
Just update PHP to v.4.1.0 about 10 mins ago
Worked pretty go so far ! :)
Will tell about loads soon .. But as far as I see, the load really dropped
...
Yeah, and waiting till Zend is bringing out a working version of Optimizer
for
that PHP version ! :)
cya !
Daniel
PS: thx for your affords !
"Zeev Suraski" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost...
> After a lengthy QA process, PHP 4.1.0 is finally out. Download at
> http://www.php.net/downloads.php !
>
> PHP 4.1.0 includes several other key improvements:
> - A new input interface for improved security (read below)
> - Highly improved performance in general
> - Revolutionary performance and stability improvements under Windows. The
> multithreaded server modules under Windows (ISAPI, Apache, etc.) perform
as
> much as 30 times faster under load! We want to thank Brett Brewer and his
> team in Microsoft for working with us to improve PHP for Windows.
> - Versioning support for extensions. Right now it's barely being used,
but
> the infrastructure was put in place to support separate version numbers
for
> different extensions. The negative side effect is that loading extensions
> that were built against old versions of PHP will now result in a crash,
> instead of in a nice clear message. Make sure you only use extensions
> built with PHP 4.1.0.
> - Turn-key output compression support
> - *LOTS* of fixes and new functions
>
> As some of you may notice, this version is quite historical, as it's the
> first time in history we actually incremented the middle digit! :) The
two
> key reasons for this unprecedented change were the new input interface,
and
> the broken binary compatibility of modules due to the versioning support.
>
> Following is a description of the new input mechanism. For a full list of
> changes in PHP 4.1.0, scroll down to the end of this section.
>
> ---
>
> SECURITY: NEW INPUT MECHANISM
>
> First and foremost, it's important to stress that regardless of anything
> you may read in the following lines, PHP 4.1.0 *supports* the old input
> mechanisms from older versions. Old applications should go on working
fine
> without modification!
>
> Now that we have that behind us, let's move on :)
>
> For various reasons, PHP setups which rely on register_globals being on
> (i.e., on form, server and environment variables becoming a part of the
> global namespace, automatically) are very often exploitable to various
> degrees. For example, the piece of code:
>
> if (authenticate_user()) {
>$authenticated = true;
> }
> ...
> ?>
>
> May be exploitable, as remote users can simply pass on 'authenticated' as
a
> form variable, and then even if authenticate_user() returns false,
> $authenticated will actually be set to true. While this looks like a
> simple example, in reality, quite a few PHP applications ended up being
> exploitable by things related to this misfeature.
>
> While it is quite possible to write secure code in PHP, we felt that the
> fact that PHP makes it too easy to write insecure code was bad, and we've
> decided to attempt a far-reaching change, and deprecate
> register_globals. Obviously, because the vast majority of the PHP code in
> the world relies on the existence of this feature, we have no plans to
> actually remove it from PHP anytime in the foreseeable future, but we've
> decided to encourage people to shut it off whenever possible.
>
> To help users build PHP applications with register_globals being off,
we've
> added several new special variables that can be used instead of the old
> global variables. There are 7 new special arrays:
>
> $_GET - contains form variables sent through GET
> $_POST - contains form variables sent through POST
> $_COOKIE - contains HTTP cookie variables
> $_SERVER - contains server variables (e.g., REMOTE_ADDR)
> $_ENV - contains the environment variables
> $_REQUEST - a merge of the GET variables, POST variables and Cookie
> variables. In other words - all the information that is coming from the
> user, and that from a security point of view, cannot be trusted.
> $_SESSION - contains HTTP variables registered by the session module
>
> Now, other than the fact that these variables contain this special
> information, they're also special in another way - they're automatically
> global in any scope. This means that you can access them anywhere,
without
> having to 'global' them first. For example:
>
> function example1()
> {
> print $_GET["name"]; // works, 'global $_GET;' is not necessary!
> }
>
> would work fine! We hope that this fact would ease the pain in migrating
> old code to new code a bit, and we're confident it's going to make writing
> new code easier. Another neat trick is that creating new entries in the
> $_SESSION array will automatically register them as session variables, as
> if you called session_register(). This trick is l
Re: [PHP] Re: PHP 4.1.0 released
They'll be posted within a couple of days.
Zeev
At 07:42 11/12/2001, MindHunter wrote:
>Where do we get the Windows Binaries?
>
>Cheers
>MH
>
>Zeev Suraski <[EMAIL PROTECTED]> wrote in message
>5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost...
> > After a lengthy QA process, PHP 4.1.0 is finally out. Download at
> > http://www.php.net/downloads.php !
> >
> > PHP 4.1.0 includes several other key improvements:
> > - A new input interface for improved security (read below)
> > - Highly improved performance in general
> > - Revolutionary performance and stability improvements under Windows. The
> > multithreaded server modules under Windows (ISAPI, Apache, etc.) perform
>as
> > much as 30 times faster under load! We want to thank Brett Brewer and his
> > team in Microsoft for working with us to improve PHP for Windows.
> > - Versioning support for extensions. Right now it's barely being used,
>but
> > the infrastructure was put in place to support separate version numbers
>for
> > different extensions. The negative side effect is that loading extensions
> > that were built against old versions of PHP will now result in a crash,
> > instead of in a nice clear message. Make sure you only use extensions
> > built with PHP 4.1.0.
> > - Turn-key output compression support
> > - *LOTS* of fixes and new functions
> >
> > As some of you may notice, this version is quite historical, as it's the
> > first time in history we actually incremented the middle digit! :) The
>two
> > key reasons for this unprecedented change were the new input interface,
>and
> > the broken binary compatibility of modules due to the versioning support.
> >
> > Following is a description of the new input mechanism. For a full list of
> > changes in PHP 4.1.0, scroll down to the end of this section.
> >
> > ---
> >
> > SECURITY: NEW INPUT MECHANISM
> >
> > First and foremost, it's important to stress that regardless of anything
> > you may read in the following lines, PHP 4.1.0 *supports* the old input
> > mechanisms from older versions. Old applications should go on working
>fine
> > without modification!
> >
> > Now that we have that behind us, let's move on :)
> >
> > For various reasons, PHP setups which rely on register_globals being on
> > (i.e., on form, server and environment variables becoming a part of the
> > global namespace, automatically) are very often exploitable to various
> > degrees. For example, the piece of code:
> >
> > > if (authenticate_user()) {
> >$authenticated = true;
> > }
> > ...
> > ?>
> >
> > May be exploitable, as remote users can simply pass on 'authenticated' as
>a
> > form variable, and then even if authenticate_user() returns false,
> > $authenticated will actually be set to true. While this looks like a
> > simple example, in reality, quite a few PHP applications ended up being
> > exploitable by things related to this misfeature.
> >
> > While it is quite possible to write secure code in PHP, we felt that the
> > fact that PHP makes it too easy to write insecure code was bad, and we've
> > decided to attempt a far-reaching change, and deprecate
> > register_globals. Obviously, because the vast majority of the PHP code in
> > the world relies on the existence of this feature, we have no plans to
> > actually remove it from PHP anytime in the foreseeable future, but we've
> > decided to encourage people to shut it off whenever possible.
> >
> > To help users build PHP applications with register_globals being off,
>we've
> > added several new special variables that can be used instead of the old
> > global variables. There are 7 new special arrays:
> >
> > $_GET - contains form variables sent through GET
> > $_POST - contains form variables sent through POST
> > $_COOKIE - contains HTTP cookie variables
> > $_SERVER - contains server variables (e.g., REMOTE_ADDR)
> > $_ENV - contains the environment variables
> > $_REQUEST - a merge of the GET variables, POST variables and Cookie
> > variables. In other words - all the information that is coming from the
> > user, and that from a security point of view, cannot be trusted.
> > $_SESSION - contains HTTP variables registered by the session module
> >
> > Now, other than the fact that these variables contain this special
> > information, they're also special in another way - they're automatically
> > global in any scope. This means that you can access them anywhere,
>without
> > having to 'global' them first. For example:
> >
> > function example1()
> > {
> > print $_GET["name"]; // works, 'global $_GET;' is not necessary!
> > }
> >
> > would work fine! We hope that this fact would ease the pain in migrating
> > old code to new code a bit, and we're confident it's going to make writing
> > new code easier. Another neat trick is that creating new entries in the
> > $_SESSION array will automatically register them as session variables, as
> > if you called
Re: [PHP] Re: PHP 4.1.0 released
whoops, you are absolutly right I'm sorry - big apologizes :~/ *taking myself on my nose* And I (*stupid*) had almost downloaded 4.06 twice (since I've 4.06 already installed) not remarking that this are the "old" 4.06 binaries... Stefan Rusterholz, [EMAIL PROTECTED] -- interaktion gmbh Stefan Rusterholz Zürichbergstrasse 17 8032 Zürich -- T. +41 1 253 19 55 F. +41 1 253 19 56 W3 www.interaktion.ch -- - Original Message - From: "Richard Black" <[EMAIL PROTECTED]> To: "PHP" <[EMAIL PROTECTED]> Sent: Tuesday, December 11, 2001 11:22 AM Subject: RE: [PHP] Re: PHP 4.1.0 released > > Um, excuse me for pointing out the obvious, but isn't that the 4.0.6 > Windows binaries? And wasn't the question about the 4.1.0 Windows > binaries??? > > Which aren't on php.net yet.. > > Richy > > -Original Message- > From: Stefan Rusterholz [SMTP:[EMAIL PROTECTED]] > Sent: 11 December 2001 10:14 > To: MindHunter > Cc: PHP > Subject: Re: [PHP] Re: PHP 4.1.0 released > > right from http://www.php.net/downloads.php which zeev mentions at the very > top of his mail: > > PHP 4.0.6 installer [755Kb] - 23 June 2001 (link: > http://www.php.net/do_download.php?download_file=php406-installer.exe) > (CGI only, MySQL support built-in, packaged as Windows installer to install > and configure PHP, and automatically configure IIS, PWS and Xitami, with > manual configuration for other servers. N.B. no external extensions > included) > > Please take your self time and comfort yourself to go to the php.net site > and take a look yourself to point that bit out yourself - thank you. > Stefan Rusterholz, [EMAIL PROTECTED] > -- > interaktion gmbh > Stefan Rusterholz > Zurichbergstrasse 17 > 8032 Zurich > -- > T. +41 1 253 19 55 > F. +41 1 253 19 56 > W3 www.interaktion.ch > ---------- > ----- Original Message - > From: "MindHunter" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Tuesday, December 11, 2001 6:42 AM > Subject: [PHP] Re: PHP 4.1.0 released > > > > Where do we get the Windows Binaries? > > > > Cheers > > MH > > > > Zeev Suraski <[EMAIL PROTECTED]> wrote in message > > 5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost... > > > After a lengthy QA process, PHP 4.1.0 is finally out. Download at > > > http://www.php.net/downloads.php ! > > > > > > PHP 4.1.0 includes several other key improvements: > > > - A new input interface for improved security (read below) > > > - Highly improved performance in general > > > - Revolutionary performance and stability improvements under Windows. > The > > > multithreaded server modules under Windows (ISAPI, Apache, etc.) > perform > > as > > > much as 30 times faster under load! We want to thank Brett Brewer and > his > > > team in Microsoft for working with us to improve PHP for Windows. > > > - Versioning support for extensions. Right now it's barely being used, > > but > > > the infrastructure was put in place to support separate version numbers > > for > > > different extensions. The negative side effect is that loading > extensions > > > that were built against old versions of PHP will now result in a crash, > > > instead of in a nice clear message. Make sure you only use extensions > > > built with PHP 4.1.0. > > > - Turn-key output compression support > > > - *LOTS* of fixes and new functions > > > > > > As some of you may notice, this version is quite historical, as it's > the > > > first time in history we actually incremented the middle digit! :) The > > two > > > key reasons for this unprecedented change were the new input interface, > > and > > > the broken binary compatibility of modules due to the versioning > support. > > > > > > Following is a description of the new input mechanism. For a full list > of > > > changes in PHP 4.1.0, scroll down to the end of this section. > > > > > > --- > > > > > > SECURITY: NEW INPUT MECHANISM > > > > > > First and foremost, it's important to stress that regardless of > anything > > > you may read in the following lines, PHP 4.1.0 *supports* the old input > > > mechanisms from old
Re: [PHP] Re: PHP 4.1.0 released
On Tuesday 11 December 2001 10:22 am, Richard Black wrote: > Um, excuse me for pointing out the obvious, but isn't that the 4.0.6 > Windows binaries? And wasn't the question about the 4.1.0 Windows > binaries??? The 4.1.0 Windows binaries, and the installer version thereof are currently under preparation and will be posted on the site ASAP. We'll make an announcement on the lists once they are there. Cheers -- Phil Driscoll -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: PHP 4.1.0 released
Um, excuse me for pointing out the obvious, but isn't that the 4.0.6
Windows binaries? And wasn't the question about the 4.1.0 Windows
binaries???
Which aren't on php.net yet..
Richy
-Original Message-
From: Stefan Rusterholz [SMTP:[EMAIL PROTECTED]]
Sent: 11 December 2001 10:14
To: MindHunter
Cc: PHP
Subject: Re: [PHP] Re: PHP 4.1.0 released
right from http://www.php.net/downloads.php which zeev mentions at the very
top of his mail:
PHP 4.0.6 installer [755Kb] - 23 June 2001 (link:
http://www.php.net/do_download.php?download_file=php406-installer.exe)
(CGI only, MySQL support built-in, packaged as Windows installer to install
and configure PHP, and automatically configure IIS, PWS and Xitami, with
manual configuration for other servers. N.B. no external extensions
included)
Please take your self time and comfort yourself to go to the php.net site
and take a look yourself to point that bit out yourself - thank you.
Stefan Rusterholz, [EMAIL PROTECTED]
--
interaktion gmbh
Stefan Rusterholz
Zurichbergstrasse 17
8032 Zurich
--
T. +41 1 253 19 55
F. +41 1 253 19 56
W3 www.interaktion.ch
--
- Original Message -
From: "MindHunter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, December 11, 2001 6:42 AM
Subject: [PHP] Re: PHP 4.1.0 released
> Where do we get the Windows Binaries?
>
> Cheers
> MH
>
> Zeev Suraski <[EMAIL PROTECTED]> wrote in message
> 5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost...
> > After a lengthy QA process, PHP 4.1.0 is finally out. Download at
> > http://www.php.net/downloads.php !
> >
> > PHP 4.1.0 includes several other key improvements:
> > - A new input interface for improved security (read below)
> > - Highly improved performance in general
> > - Revolutionary performance and stability improvements under Windows.
The
> > multithreaded server modules under Windows (ISAPI, Apache, etc.)
perform
> as
> > much as 30 times faster under load! We want to thank Brett Brewer and
his
> > team in Microsoft for working with us to improve PHP for Windows.
> > - Versioning support for extensions. Right now it's barely being used,
> but
> > the infrastructure was put in place to support separate version numbers
> for
> > different extensions. The negative side effect is that loading
extensions
> > that were built against old versions of PHP will now result in a crash,
> > instead of in a nice clear message. Make sure you only use extensions
> > built with PHP 4.1.0.
> > - Turn-key output compression support
> > - *LOTS* of fixes and new functions
> >
> > As some of you may notice, this version is quite historical, as it's
the
> > first time in history we actually incremented the middle digit! :) The
> two
> > key reasons for this unprecedented change were the new input interface,
> and
> > the broken binary compatibility of modules due to the versioning
support.
> >
> > Following is a description of the new input mechanism. For a full list
of
> > changes in PHP 4.1.0, scroll down to the end of this section.
> >
> > ---
> >
> > SECURITY: NEW INPUT MECHANISM
> >
> > First and foremost, it's important to stress that regardless of
anything
> > you may read in the following lines, PHP 4.1.0 *supports* the old input
> > mechanisms from older versions. Old applications should go on working
> fine
> > without modification!
> >
> > Now that we have that behind us, let's move on :)
> >
> > For various reasons, PHP setups which rely on register_globals being on
> > (i.e., on form, server and environment variables becoming a part of the
> > global namespace, automatically) are very often exploitable to various
> > degrees. For example, the piece of code:
> >
> > > if (authenticate_user()) {
> >$authenticated = true;
> > }
> > ...
> > ?>
> >
> > May be exploitable, as remote users can simply pass on 'authenticated'
as
> a
> > form variable, and then even if authenticate_user() returns false,
> > $authenticated will actually be set to true. While this looks like a
> > simple example, in reality, quite a few PHP applications ended up being
> > exploitable by things related to this misfeature.
> >
> > While it is quite possible to write secure code in PHP, we felt that
the
> > fact that PHP makes it too easy to write insecure code was bad, and
we've
> > dec
Re: [PHP] Re: PHP 4.1.0 released
right from http://www.php.net/downloads.php which zeev mentions at the very
top of his mail:
PHP 4.0.6 installer [755Kb] - 23 June 2001 (link:
http://www.php.net/do_download.php?download_file=php406-installer.exe)
(CGI only, MySQL support built-in, packaged as Windows installer to install
and configure PHP, and automatically configure IIS, PWS and Xitami, with
manual configuration for other servers. N.B. no external extensions
included)
Please take your self time and comfort yourself to go to the php.net site
and take a look yourself to point that bit out yourself - thank you.
Stefan Rusterholz, [EMAIL PROTECTED]
--
interaktion gmbh
Stefan Rusterholz
Zürichbergstrasse 17
8032 Zürich
--
T. +41 1 253 19 55
F. +41 1 253 19 56
W3 www.interaktion.ch
--
- Original Message -
From: "MindHunter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, December 11, 2001 6:42 AM
Subject: [PHP] Re: PHP 4.1.0 released
> Where do we get the Windows Binaries?
>
> Cheers
> MH
>
> Zeev Suraski <[EMAIL PROTECTED]> wrote in message
> 5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost...
> > After a lengthy QA process, PHP 4.1.0 is finally out. Download at
> > http://www.php.net/downloads.php !
> >
> > PHP 4.1.0 includes several other key improvements:
> > - A new input interface for improved security (read below)
> > - Highly improved performance in general
> > - Revolutionary performance and stability improvements under Windows.
The
> > multithreaded server modules under Windows (ISAPI, Apache, etc.) perform
> as
> > much as 30 times faster under load! We want to thank Brett Brewer and
his
> > team in Microsoft for working with us to improve PHP for Windows.
> > - Versioning support for extensions. Right now it's barely being used,
> but
> > the infrastructure was put in place to support separate version numbers
> for
> > different extensions. The negative side effect is that loading
extensions
> > that were built against old versions of PHP will now result in a crash,
> > instead of in a nice clear message. Make sure you only use extensions
> > built with PHP 4.1.0.
> > - Turn-key output compression support
> > - *LOTS* of fixes and new functions
> >
> > As some of you may notice, this version is quite historical, as it's the
> > first time in history we actually incremented the middle digit! :) The
> two
> > key reasons for this unprecedented change were the new input interface,
> and
> > the broken binary compatibility of modules due to the versioning
support.
> >
> > Following is a description of the new input mechanism. For a full list
of
> > changes in PHP 4.1.0, scroll down to the end of this section.
> >
> > ---
> >
> > SECURITY: NEW INPUT MECHANISM
> >
> > First and foremost, it's important to stress that regardless of anything
> > you may read in the following lines, PHP 4.1.0 *supports* the old input
> > mechanisms from older versions. Old applications should go on working
> fine
> > without modification!
> >
> > Now that we have that behind us, let's move on :)
> >
> > For various reasons, PHP setups which rely on register_globals being on
> > (i.e., on form, server and environment variables becoming a part of the
> > global namespace, automatically) are very often exploitable to various
> > degrees. For example, the piece of code:
> >
> > > if (authenticate_user()) {
> >$authenticated = true;
> > }
> > ...
> > ?>
> >
> > May be exploitable, as remote users can simply pass on 'authenticated'
as
> a
> > form variable, and then even if authenticate_user() returns false,
> > $authenticated will actually be set to true. While this looks like a
> > simple example, in reality, quite a few PHP applications ended up being
> > exploitable by things related to this misfeature.
> >
> > While it is quite possible to write secure code in PHP, we felt that the
> > fact that PHP makes it too easy to write insecure code was bad, and
we've
> > decided to attempt a far-reaching change, and deprecate
> > register_globals. Obviously, because the vast majority of the PHP code
in
> > the world relies on the existence of this feature, we have no plans to
> > actually remove it from PHP anytime in the foreseeable future, but we've
> > decided to encourage people to shut it off whenever possible.
> >
> > To he
[PHP] Re: PHP 4.1.0 released
Where do we get the Windows Binaries?
Cheers
MH
Zeev Suraski <[EMAIL PROTECTED]> wrote in message
5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost...
> After a lengthy QA process, PHP 4.1.0 is finally out. Download at
> http://www.php.net/downloads.php !
>
> PHP 4.1.0 includes several other key improvements:
> - A new input interface for improved security (read below)
> - Highly improved performance in general
> - Revolutionary performance and stability improvements under Windows. The
> multithreaded server modules under Windows (ISAPI, Apache, etc.) perform
as
> much as 30 times faster under load! We want to thank Brett Brewer and his
> team in Microsoft for working with us to improve PHP for Windows.
> - Versioning support for extensions. Right now it's barely being used,
but
> the infrastructure was put in place to support separate version numbers
for
> different extensions. The negative side effect is that loading extensions
> that were built against old versions of PHP will now result in a crash,
> instead of in a nice clear message. Make sure you only use extensions
> built with PHP 4.1.0.
> - Turn-key output compression support
> - *LOTS* of fixes and new functions
>
> As some of you may notice, this version is quite historical, as it's the
> first time in history we actually incremented the middle digit! :) The
two
> key reasons for this unprecedented change were the new input interface,
and
> the broken binary compatibility of modules due to the versioning support.
>
> Following is a description of the new input mechanism. For a full list of
> changes in PHP 4.1.0, scroll down to the end of this section.
>
> ---
>
> SECURITY: NEW INPUT MECHANISM
>
> First and foremost, it's important to stress that regardless of anything
> you may read in the following lines, PHP 4.1.0 *supports* the old input
> mechanisms from older versions. Old applications should go on working
fine
> without modification!
>
> Now that we have that behind us, let's move on :)
>
> For various reasons, PHP setups which rely on register_globals being on
> (i.e., on form, server and environment variables becoming a part of the
> global namespace, automatically) are very often exploitable to various
> degrees. For example, the piece of code:
>
> if (authenticate_user()) {
>$authenticated = true;
> }
> ...
> ?>
>
> May be exploitable, as remote users can simply pass on 'authenticated' as
a
> form variable, and then even if authenticate_user() returns false,
> $authenticated will actually be set to true. While this looks like a
> simple example, in reality, quite a few PHP applications ended up being
> exploitable by things related to this misfeature.
>
> While it is quite possible to write secure code in PHP, we felt that the
> fact that PHP makes it too easy to write insecure code was bad, and we've
> decided to attempt a far-reaching change, and deprecate
> register_globals. Obviously, because the vast majority of the PHP code in
> the world relies on the existence of this feature, we have no plans to
> actually remove it from PHP anytime in the foreseeable future, but we've
> decided to encourage people to shut it off whenever possible.
>
> To help users build PHP applications with register_globals being off,
we've
> added several new special variables that can be used instead of the old
> global variables. There are 7 new special arrays:
>
> $_GET - contains form variables sent through GET
> $_POST - contains form variables sent through POST
> $_COOKIE - contains HTTP cookie variables
> $_SERVER - contains server variables (e.g., REMOTE_ADDR)
> $_ENV - contains the environment variables
> $_REQUEST - a merge of the GET variables, POST variables and Cookie
> variables. In other words - all the information that is coming from the
> user, and that from a security point of view, cannot be trusted.
> $_SESSION - contains HTTP variables registered by the session module
>
> Now, other than the fact that these variables contain this special
> information, they're also special in another way - they're automatically
> global in any scope. This means that you can access them anywhere,
without
> having to 'global' them first. For example:
>
> function example1()
> {
> print $_GET["name"]; // works, 'global $_GET;' is not necessary!
> }
>
> would work fine! We hope that this fact would ease the pain in migrating
> old code to new code a bit, and we're confident it's going to make writing
> new code easier. Another neat trick is that creating new entries in the
> $_SESSION array will automatically register them as session variables, as
> if you called session_register(). This trick is limited to the session
> module only - for example, setting new entries in $_ENV will *not* perform
> an implicit putenv().
>
> PHP 4.1.0 still defaults to have register_globals set to on. It's a
> transitional version, and we encourage application author
