PHP 4.1.0 Release Announcement PHP 4.1.0 Release Announcement (1) After a lengthy QA process, PHP 4.1.0 is finally out. Download at http://www.php.net/downloads.php ! PHP 4.1.0 includes several other key improvements: - A new input interface for improved security (read below) - Highly improved performance in general - Revolutionary performance and stability improvements under Windows. The multithreaded server modules under Windows (ISAPI, Apache, etc.) perform as much as 30 times faster under load! We want to thank Brett Brewer and his team in Microsoft for working with us to improve PHP for Windows. Revolutionary performance and stability under Windows . Multi-threaded server module provides 30 times faster performance. - Versioning support for extensions. Right now its barely being used, but the infrastructure was put in place to support separate version numbers for different extensions. The negative side effect is that loading extensions that were built against old versions of PHP will now result in a crash, instead of in a nice clear message. Make sure you only use extensions built with PHP 4.1.0. Extension translation support, which is rarely used now, but the infrastructure is put in place to support certain extension modules with different versions. . The negative impact is that it conflicts with older versions of extension modules. You need to make sure to use the php4.1.0 extension module. - Turn-key output compression support Support Turn-key output compression - *LOTS* of fixes and new functions Many places have been corrected and many functions have been added. As some of you may notice, this version is quite historical, as its the first time in history we actually incremented the middle digit! :) The two key reasons for this unprecedented change were the new input interface, and the broken binary compatibility of modules due to the versioning support. {I don’t understand! ! hehe! Translate after you understand it} Following is a description of the new input mechanism. For a full list of changes in PHP 4.1.0, scroll down to the end of this section. The following is a description of the new input mechanism. See the full list of changes below---------------------------------- SECURITY: NEW INPUT MECHANISM Security: New First and foremost, its important to stress that regardless of anything you may read in the following lines, PHP 4.1.0 *supports* the old input mechanisms from older versions. Old applications should go on working fine without modification! And most importantly, it must be emphasized that it is very important to pay enough attention to the following content. PHP 4.1.0 supports the old input mechanism. Old applications can still run without modification. Now that we have that behind us, lets move on :) For various reasons, PHP setups which rely on register_globals being on (i.e., on form, server and environment variables becoming a part of the global namespace, automatically) are very often exploitable to various degrees. For example, the piece of code: For various reasons, PHP needs to set register_globlas ON (for example, in bidders, servers, environment variables automatically become part of the global namespace), they are often interfered with to varying degrees . Here is a piece of code: May be exploitable, as remote users can simply pass on authenticated as a form variable, and then even if authenticate_user() returns false, $authenticated will actually be set to true. While this looks like a simple For example, in reality, quite a few PHP applications ended up being exploitable by things related to this misfeature. You can cheat by passing the authenticated variable in the form. Even if authenticate_user() returns false, $authenticated is still set to true. This is just a very Simple example, in fact, quite a few programs are fooled by similar buggy features. While it is quite possible to write secure code in PHP, we felt that the fact that PHP makes it too easy to write insecure code was bad, and weve decided to attempt a far-reaching change, and deprecate register_globals. Obviously, because the vast majority of the PHP code in the world relies on the existence of this feature, we have no plans to actually remove it from PHP anytime in the foreseeable future, but weve decided to encourage people to shut it off whenever possible. Of course, it is perfectly possible to write safe PHP code, and we feel that the fact that PHP makes it very easy to write unsafe code is a very bad thing. We decided to try a far-reaching change. Against register_globals. Obviously, since most code relies on this feature, there is no way we can actually remove it at some point in the future. But we decided to encourage people to turn it off. To help users build PHP applications with register_globals being off, weve added several new special variables that can be used instead of the old global variables. There are 7 new special arrays: When creating a PHP application, we added some new special variables to be used instead of the old global variables.They are 7 new special arrays: $_GET - contains form variables sent through GET $_POST - contains form variables sent through POST $_COOKIE - contains HTTP cookie variables $_SERVER - contains server variables (e.g., REMOTE_ADDR) $_ENV - contains the environment variables $_REQUEST - a merge of the GET variables, POST variables and Cookie variables. In other words - all the information that is coming from the user, and that from a security point of view, cannot be trusted. is a collection of GET/POST/Cookie variables, that is, all the information that comes from the user and the security form information. But from a security perspective, they cannot be trusted. $_SESSION - contains HTTP variables registered by the session module Now, other than the fact that these variables contain this special information, theyre also special in another way - theyre automatically global in any scope. This means that you can access them anywhere, without having to global them first. For example: Now, in fact, these variables contain special information, they are also automatically global variables in any environment. This means you can access them anywhere without having to globalize them. For example: function example1() { print $_GET["name"]; // works, global $_GET; is not necessary! //No need to declare $_GET as a global variable} would work fine! We hope that this fact would ease the pain in migrating old code to new code a bit, and were confident its going to make writing new code easier. Another neat trick is that creating new entries in the $_SESSION array will automatically register them as session variables, as if you called session_register (). This trick is limited to the session module only - for example, setting new entries in $_ENV will *not* perform an implicit putenv(). Works fine. We hope this will make porting old code easier, and we're sure it will make writing new code easier. Another trick is that creating new $_SESSION array entries will automatically register them as session b variables, just like calling session_register(). This trick only works with the session module. For example, setting a new $_ENV entry does not implicitly execute putenv(). PHP 4.1.0 still defaults to have register_globals set to on. Its a transitional version, and we encourage application authors, especially public ones which are used by a wide audience, to change their applications to work in an environment where register_globals is set to off . Of course, they should take advantage of the new features supplied in PHP 4.1.0 that make this transition much easier. PHP 4.1.0 still sets register_globals to On by default. It is a transitional version that our program is doing, especially it is widely used. Accepted, change their application to work with register_globals off. Of course, they need to use the new features of PHP 4.1.0 to make the transition easier. As of the next semi-major version of PHP, new installations of PHP will default to having register_globals set to off. No worries! Existing installations, which already have a php.ini file that has register_globals set to on, will not be affected. Only when you install PHP on a brand new machine (typically, if youre a brand new user), will this affect you, and then too - you can turn it on if you choose to. People set register_globals to off. Don't worry, it has been installed and register_globals has been set to on in php.ini, so it will not be affected. This only affects you if you install php as a new machine (usually a new user) and you can choose to turn it on. Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names still work, but we encourage users to switch to the new shorter, and auto-global versions. $HTTP_G
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
