Last Updated: 2006-08-23 16:25:53 UTC
by Johannes Ullrich (Version: 1)
From a first read, I am not quite happy with the security related changes. But the document is brief and may not explain all the details. So here a few of the security related highlights.
- Dealing with Unicode. Not directly security related. But this could affect some validation functions. Overall there appears to be a global switch covering how to deal with unicode.
- register_globals is going to go away (Finally ;-) ). This option, which "way back" used to be the default, has been one of the big problems in the past.
- magic_quotes is going to go away. Not sure if I like this. 'magic_quotes' has been an issue for developers who had no control over the php configuration (e.g. shared hosting) and had to cover both cases (quotes on/off). But it has been a valuable safety net for others.
- safe_mode feature is going to be removed. Another questionable choice IMHO. The feature had problems in the past, but then again, I would rather see them fixed then have them go away.
- the SOAP extension will support more security options. But it will also be turned on by default.
- the "Hardened PHP patch" will be included (at least pieces of it. Nice!).
- looks like there will be no 'taint' mode, but there may be 'sandboxing'. The notes are a bit brief on this.
- No more '<%'. This could be an issue if your PHP code is using '<%' and will now no longer be parsed, but instead the source code will be visible.
For the full document, see Minutes PHP Devlopers Meeting.