n1o Posted March 21, 2008 Share Posted March 21, 2008 Before one starts working to provide suitable php.ini files here a short overview of the most important safety options of PHP: allow_url_fopen (recommended: off) steers whether file accesses may refer also to external URLs or not. If one forbids this, it falls an aggressor more heavily to reload harming programs from the InterNet. Since PHP the allow_url_include behavior regulates 5.2.0 separately for the instructions include() and require(). display_errors (recommended: off) switches the announcement from PHP error messages in or out. Which for the debugging is helpful, on the other hand also explanation about executions can give aggressors, which are helpful for further attacks. disable_functions specify a list of closed PHP functions. In particular PHP applications, which were developed under security-results, make a large elbow around potenziell dangerous functions as exec(), so that their absence prepares frequently no problems for them -- many exploits in the circulation however very probably. open_basedir (recommended: Web Home) limits the file operations the listing and in it contained sublists indicated by PHP on. It is possible to indicate several listings as a colon separately. Is important to terminate path data with a slash since they include otherwise also all listings, which begin with the indicated name. register_globals (recommended: off) steers whether scripts get parameters from the URL or the post office data as global variables handed over or not. Many weak points in PHP applications can be used only if this is the case. safe_mode (recommended: on) indicates whether PHP is to run in a special secured mode or not. It has extensive effects, for example takes place at file operations an additional UID check and that access to environment variables is reduced. PHP6 will not any longer contain it, because the developers of the opinion are that its functions do not lie in the field of a script language. sql.safe_mode regulates a special treatment of registrations at data base servers. In this mode the PHP functions use for the data base registration exclusively the name system users, to which the script belongs. Since in Shared Webhosting environments the name of the data base user agrees nearly never with that it system users, there this option is applicable only extremely rarely. A good secured php.ini has following contents: [PHP] register_globals = off allow_url_fopen = off safe_mode = on open_basedir = <get-track> disable_functions = exec,system,passthru,shell_exec,popen,escapeshellcmd,proc_open,proc_nice,ini_res tore display_errors = off @ All You have done the security-php yourself. Now check it ............ Make a new .txt-file and copy insert: <?php phpinfo(); ?> Now, rename this file in "if you want".php Upload this one in an admin-folder. An admin-folder should be secured by .htaccess. Load this "if you want".php-file from your webbrowser ... and check your php. Next step, we have to made new txt.-file and paste in: User-agent: ActiveAgent User-agent: Alexibot User-agent: Aqua_Products User-agent: AskJeeves User-agent: BackDoorBot User-agent: BackDoorBot 1.0 User-agent: BackDoorBot/1.0 User-agent: BackWeb User-agent: BecomeBot User-agent: Black Hole User-agent: BlackWidow User-agent: BlowFish User-agent: BlowFish 1.0 User-agent: BlowFish/1.0 User-agent: Bookmark search tool User-agent: BotALot User-agent: BotRightHere User-agent: BuiltBotTough User-agent: Bullseye User-agent: Bullseye/1.0 User-agent: BunnySlippers User-agent: Cegbfeieh User-agent: CheeseBot User-agent: CherryPicker User-agent: CherryPicker /1.0 User-agent: CherryPicker 1.0 User-agent: CherryPickerElite 1.0 User-agent: CherryPickerElite/1.0 User-agent: CherryPickerSE 1.0 User-agent: CherryPickerSE/1.0 User-agent: ChinaClaw User-agent: Collector User-agent: Copernic User-agent: Copier User-agent: CopyRightCheck User-agent: Crescent User-agent: Crescent Internet ToolPak HTTP OLE Control v.1.0 User-agent: Crescent Internet ToolPak HTTPOLE Control v.1.0 User-agent: DISCo User-agent: DISCo Pump User-agent: DISCo Pump 3.1 User-agent: DittoSpyder User-agent: Download Demon User-agent: Download Wonder User-agent: Downloader User-agent: Drip User-agent: EirGrabber User-agent: EmailCollector User-agent: EmailCollector 1.0 User-agent: EmailSiphon User-agent: EmailWolf User-agent: EmailWolf 1.00 User-agent: Enterprise_Search User-agent: Enterprise_Search/1.0 User-agent: EroCrawler User-agent: Express WebPictures User-agent: ExtractorPro User-agent: EyeNetIE User-agent: FairAd Client User-agent: FileHound User-agent: Flaming AttackBot User-agent: FlashGet User-agent: Foobot User-agent: FreeFind User-agent: Gaisbot User-agent: GetRight User-agent: GetRight/4.2 User-agent: GetSmart User-agent: GetWeb! User-agent: Go!Zilla User-agent: Go-Ahead-Got-It User-agent: Googlebot-Image User-agent: GrabNet User-agent: Grabber User-agent: Grafula User-agent: heritrix User-agent: HLoader User-agent: HMView User-agent: HTTrack User-agent: Harvest User-agent: Harvest 1.5 User-agent: Harvest/1.5 User-agent: Hatena Antenna User-agent: Image Stripper User-agent: Image Sucker User-agent: Indy Library User-agent: InfoNaviRobot User-agent: InterGET User-agent: Internet Ninja User-agent: Iria User-agent: Iron33 User-agent: Iron33/1.0.2 User-agent: JOC User-agent: JOC Web Spider User-agent: Jeeves User-agent: JennyBot User-agent: JetCar User-agent: Jetbot User-agent: Jetbot/1.0 User-agent: JustView User-agent: Kenjin Spider User-agent: Keyword Density User-agent: Keyword Density/0.9 User-agent: LNSpiderguy User-agent: LexiBot User-agent: LinkScan User-agent: LinkScan/8.1a Unix User-agent: LinkWalker User-agent: LinkextractorPro User-agent: MIDown tool User-agent: MIIxpc User-agent: MIIxpc/4.2 User-agent: MSIECrawler User-agent: Mag-Net User-agent: Magnet User-agent: Mass Downloader User-agent: Mata Hari User-agent: Memo User-agent: Microsoft URL Control User-agent: Microsoft URL Control - 5.01.4511 User-agent: Microsoft URL Control - 6.00.8169 User-agent: Mirror User-agent: Mister PiX User-agent: Mozilla User-agent: Mozilla/4.0 (compatible; BullsEye; Windows 95) User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 2000) User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 9 User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95) User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98) User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows ME) User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows NT) User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows XP) User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AIRF) User-agent: NICErsPRO User-agent: NPBot User-agent: Navroad User-agent: NearSite User-agent: Net Vampire User-agent: NetAnts User-agent: NetMechanic User-agent: NetSpider User-agent: NetZIP User-agent: Ninja User-agent: Nutch User-agent: Octopus User-agent: Offline Explorer User-agent: Offline Navigator User-agent: OmniExplorer_Bot User-agent: Openbot User-agent: Openfind User-agent: Openfind data gathere User-agent: Openfind data gatherer User-agent: Oracle Ultra Search User-agent: PageGrabber User-agent: Papa Foto User-agent: PerMan User-agent: ProPowerBot User-agent: ProPowerBot/2.14 User-agent: ProWebWalker User-agent: Pump User-agent: Python-urllib User-agent: QueryN Metasearch User-agent: RMA User-agent: Radiation User-agent: Radiation Retriever User-agent: Radiation Retriever 1.1 User-agent: ReGet User-agent: RealDownload User-agent: Reaper User-agent: Recorder User-agent: RepoMonkey User-agent: RepoMonkey Bait & Tackle/v1.01 User-agent: Roverbot User-agent: Siphon User-agent: SiteSnagger User-agent: SmartDownload User-agent: Snake User-agent: SpaceBison User-agent: SpankBot User-agent: Stanford User-agent: Stanford Comp Sci User-agent: Sucker User-agent: SuperBot User-agent: SuperHTTP User-agent: Surfbot User-agent: Szukacz User-agent: Szukacz/1.4 User-agent: Teleport User-agent: Teleport Pro User-agent: Teleport Pro/1.29.1590 User-agent: Teleport Pro/1.29.1616 User-agent: Teleport Pro/1.29.1632 User-agent: Teleport Pro/1.29.1718 User-agent: TeleportPro User-agent: Telesoft User-agent: Teoma User-agent: The Intraformant User-agent: TheNomad User-agent: TightTwatBot User-agent: Titan User-agent: True_Robot User-agent: True_Robot/1.0 User-agent: URL Control User-agent: URL_Spider_Pro User-agent: URLy Warning User-agent: VCI User-agent: VCI WebViewer VCI WebViewer Win32 User-agent: Vacuum User-agent: VoidEYE User-agent: WWW-Collector User-agent: WWW-Collector-E User-agent: WWWOFFLE User-agent: WX_mail User-agent: Web Image Collector User-agent: Web Sucker User-agent: WebAuto User-agent: WebBandit User-agent: WebBandit 2.1 User-agent: WebBandit 3.50 User-agent: WebBandit/3.50 User-agent: WebCapture 2.0 User-agent: WebCopier User-agent: WebCopier v.2.2 User-agent: WebCopier v3.2a User-agent: WebEMailExtrac. User-agent: WebEMailExtractor 1.0B User-agent: WebEnhancer User-agent: WebFetch User-agent: WebGo IS User-agent: WebLeacher User-agent: WebReaper User-agent: WebSauger User-agent: WebStripper User-agent: WebVac User-agent: WebWhacker User-agent: WebZIP User-agent: WebZIP/4.21 User-agent: WebZIP/5.0 User-agent: WebZip User-agent: WebZip/4.0 User-agent: WebmasterWorld User-agent: WebmasterWorld Extractor User-agent: WebmasterWorldForumBot User-agent: Website User-agent: Website Quester User-agent: Website eXtractor User-agent: Webster User-agent: Webster Pro User-agent: Wget User-agent: Wget/1.5.3 User-agent: Wget/1.6 User-agent: Whacker User-agent: WhoWhere User-agent: Widow User-agent: Xaldon User-agent: Xaldon/WebSpider User-agent: Xenu\'s User-agent: Xenu\'s Link Sleuth 1.1c User-agent: Zeus User-agent: Zeus 32297 Webster Pro V2.9 Win32 User-agent: Zeus Link Scout User-agent: aconon Index User-agent: asterias User-agent: autoemailspider User-agent: b2w User-agent: b2w 0.1 User-agent: b2w/0.1 User-agent: cosmos User-agent: dloader(naverrobot)/1.0 User-agent: dumbot User-agent: eCatch User-agent: emailcollector User-agent: es User-agent: gotit User-agent: grub User-agent: grub-client User-agent: hloader User-agent: httplib User-agent: humanlinks User-agent: ia_archiver User-agent: ia_archiver/1.6 User-agent: larbin User-agent: lftp User-agent: libWeb User-agent: libWeb/clsHTTP User-agent: likse User-agent: looksmart User-agent: lwp-trivial User-agent: lwp-trivial/1.34 User-agent: moget User-agent: moget/2.1 User-agent: mozilla User-agent: mozilla/3 User-agent: mozilla/4 User-agent: mozilla/5 User-agent: naver User-agent: pavuk User-agent: pcBrowser User-agent: psbot User-agent: scooter User-agent: searchpreview User-agent: sootle User-agent: spanner User-agent: suzuran User-agent: tAkeOut User-agent: toCrawl/UrlDispatcher User-agent: turingos User-agent: webbandit 4.00.0 Disallow: / Rename this-txt-file in robots.txt and upload this file in root-web-folder. Check it out agents here: List of User-Agents Prepare for PHP 6 - Core Current PHP 5 Stable Release: 5.2.5 PHP 6 Core: - Unicode - Register Globals to go - Magic Quotes to go - Safe Mode to go - 'var' to alias 'public' - Return by Reference will error - zend.ze1 compatbility mode to go - Freetype 1 and GD 1 support to go - dl() moves to SAPI only - FastCGI always on - Register Long Arrays to go - Extension Movements - PHP Engine Additions n1o Quote Link to comment Share on other sites More sharing options...
n1o Posted April 18, 2008 Author Share Posted April 18, 2008 Added on next php6 core: 64 bit integers A new 64 bit integer will be added (int64). There will be no int32 (it is assumed unless you specify int64) Goto No 'goto' command will be added, but the break keyword will be extended with a static label - so you could do 'break foo' and it'll jump to the label foo: in your code. ifsetor() It looks like we won't be seeing this one, which is a shame. But instead the ?: operator will have the 'middle parameter' requirement dropped, which means you'd be able to do something like this: "$foo = $_GET['foo'] ?: 42;" (i.e. if foo is true, $foo will equal 42). This should save some code, but I personally don't think it is as 'readable' as ifsetor would have been. foreach multi-dim arrays This is a nice change - you'll be able to foreach through array lists, i.e. "foreach( $a as $k => list($a, $B))". {} vs [] You can currently use both {} and [] to access string indexes. But the {} notation will raise an E_STRICT in PHP5.1 and will be gone totally in PHP6. Also the [] version will gain substr and array_slice functionality directly - so you could do "[2,]" to access characters 2 to the end, etc. Very handy. Quote Link to comment Share on other sites More sharing options...
n1o Posted May 15, 2008 Author Share Posted May 15, 2008 4.8 Named Parameters Issue: The functionality of named parameters was suggested. Named parameters allow you to "skip" certain parameters to functions. If it would be implemented, then it might look like: <?php function foo ($a = 42, $b = 43, $c = 44, $d = 45) { // echos 42, 53, 54, 45 echo "$a $b $c $d\n"; } foo(c => 54, b => 53); ?> Discussion: We don't see the real need for named parameters, as they seem to violate PHP's KISS principle. It also makes for messier code. Conclusions: We do not want to add it. 4.9 Make parameter order consistent over all functions Issue: One point that people find annoying in PHP is the non-standard way of how parameters are ordered to functions. Because there is no consistent way, they always have to use the manual to see what the order is. Discussion: We went over the string functions and found that there are only two functions that have "needle, haystack" instead of "haystack, needle", namely in_array() and array_search(). For in_array() it makes sense in a logical way to work in the same way as SQL, where you first specify the value, and then you check if it fits "in the array". As array_search() was modelled on this is_array() function the parameter order is the same. As there are not many inconsistencies, and changing them would cause quite some problems for current applications we decided not to change the order. Conclusions: We do not change parameter ordering for internal functions. 4.10 Minor function changes: microtime() Issue: It was suggested that microtime(true) become the default behaviour. Currently if you pass no parameters the microtime function returns the current time as "microseconds <space> unix_timestamp". Discussion: As you usually would want to have the full floating point number back, many people use the following snippet (and perhaps even wrap that in a function): <?php $m = microtime(); $e = explode(' ', $m); echo $e[0] + $e[1], "\n"; ?> We want to change the behaviour to return a normal float straight away (which you can now do by passing "true" as first parameter). The following snippet: <?php $m = microtime(true); echo $m, "\n"; $e = explode(' ', $m); echo $e[0] + $e[1], "\n"; ?> Throws only a notice, while the result is still correct. As it's only a notice, we feel safe enough to change the default behaviour to return a float. We do need to investigate what happens if any of the following values are passed though: none, null, false and true. Conclusions: We will change the default behaviour of microtime() to return a float. 5. Changes to OO functionality 5.1 "function require __construct(" to force calling the parent's constructor Issue: Some extensions such as PDO allow their classes to be inherited. The constructors of those inherited classes are required to call the extension class' constructor though as that one needs to initialise the internal structures. Currently there is no way in the engine to require this. Discussion: In order to address this issue we need to add a flag internally that tells the engine that it should bail out if methods are called, but the extensions' constructor was not called yet. For this to work, we need to add a flag to the bottom most object in the hierarchy that is still an internal class. Add an additional class pointer to the class pointing to the constructor that should be called. Conclusions: We add a flag to the class structure to record this We do not add new syntax for this to userland 5.2 Allow interfaces to specify the __construct() signature Issue: Currently it is not possible to define a __construct() signature in an interface. Discussion: We didn't see a reason why this shouldn't be allowed, but Andi seems to have a reason for it. Conclusions: Zeev asks Andi why he doesn't want constructors in the interface. If there is no sound reason we add this possibility. 5.3 Implement inheritance rules for type hints Issue: Currently we don't check inheritance rules for type-hinted parameters. Discussion: Marcus explains with an example how inheritance rules for type-hinted parameters should work, and also mentions that most probably no language currently implements this correctly. This is not a very important check, and therefore we see no reason why we should implement this either. Conclusions: We are not going to add the checks. 5.4 Late static binding using "this" without "$" (or perhaps with a different name) Issue: Currently, the following script will print "A:static2": <?php class A { static function staticA() { self::static2(); } static function static2() { echo "A::static2\n"; } } class B extends A { static function static2() { echo "B::static2\n"; } } B::staticA(); ?> Discussion: Currently there is no way do "runtime evaluating" of static members so that we can call B::static2() from A::staticA() and this is a useful feature. In order to implement this we need a new keyword to allow for this. As we do not want to introduce yet another reserved word the re-use of "static" was suggested for this. The same example, but now with the call to "self::static2()" replaced with "static::static2()", will then print "B::static2". Conclusions: We re-use the "static::" keyword to do runtime evaluation of statics. Marcus prepares an implementation suggestion. 5.5 Object casting to primitive types Issue: PHP does not support a call-back when an object is cast to another (scalar) type. Discussion: As PHP is a weekly typed language this kind of functionality does not make sense in PHP. We only leave the __toString() method which is called on a (string) cast. In PHP 5.1 the following already gives notices on the (int) and (double) casts, where the __toString() method is also correctly called: <?php class a { function __toString() { return "string"; } } $a = new a; echo (int) $a, "\n"; echo (bool) $a, "\n"; echo (string) $a, "\n"; echo (float) $a, "\n"; ?> Conclusions: We will not add magic call-back functions for other casts. 5.6 name spaces Issue: PHP currently has no name spaces, which some people find inconvenient as they are required to prefix all their classes with an unique prefix. Discussion: First we briefly discussed the current name space patch, but as we were not all familiar with its workings we did not go into deep detail for this. Then we saw an alternative implementation of name spaces with "Modules". This is an example on how this should work: <?php import M1 as M2; echo M2::$var,"\n"; echo M2::c,"\n"; echo M2::func(),"\n"; echo M2::C::func(),"\n"; var_dump(new M2::C); ?> M1.php: <?php module M1 { var $var = "ok"; const c = "ok"; function func() { } class C { static function func() { return "ok"; } static private function bug() { echo "bug\n"; } } private class FOO { public class BAR { static function bug() { echo "bug\n"; } } } function bar() { return new M1::FOO(); } } ?> This approach suffers from a few problems: When calling you still have to prefix all your classes. You are forced into a specific naming scheme for your modules. After the modules, we came up with some implementation guidelines on how we would like to see support for name spaces and decided we would only introduce them if the following rules could be implemented: Implement a "name space" keyword that you can wrap around a class definition with {}. Internally this adds <namespace-name> to the class names defined inside it separated by a separator. The following example would create the class "spl<separator>file": <?php namespace spl { class file { } } ?> The suggested separator is "\" as this is the only free choice. import will be request-wide and the import keyword copies class entries to it's new name If we encounter a conflict due to importing we abort execution "import spl\*" will copy all classes in the spl name spaces to the "normal" namespace which doesn't have a prefix. Functions in name spaces are allowed. Constants in name spaces are allowed unless we find problems with the implementation. No variables are allowed in name spaces. Conclusions: If we're going to do this, the name spaces look like above. Marcus is going to provide a patch. 5.7 Using an undefined property in a class with defined properties should throw a warning Issue: Current PHP will not throw any warning with the following code, and will just create a new property: <?php class foobar { public $supercalifragilisticexpialidoceous; function r Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.