PHP: Difference between revisions
rv spam |
|||
Line 174: | Line 174: | ||
*[http://groups.google.com/group/comp.lang.php comp.lang.php] newsgroup |
*[http://groups.google.com/group/comp.lang.php comp.lang.php] newsgroup |
||
*[http://www.php.net/mailing-lists.php PHP mailing lists] |
*[http://www.php.net/mailing-lists.php PHP mailing lists] |
||
*[http://softgroups.com PHP Scripts] |
|||
*[http://phpflashcards.com/app/ Practice PHP skills] |
*[http://phpflashcards.com/app/ Practice PHP skills] |
||
* [http://members.cox.net/midian/tutorials/php404.htm How to setup a custom PHP 404] |
* [http://members.cox.net/midian/tutorials/php404.htm How to setup a custom PHP 404] |
Revision as of 08:11, 17 June 2006
Developer(s) | The PHP Group |
---|---|
Stable release | 5.1.4 / May 4, 2006 4.4.2 / January 13, 2006 |
Repository | |
Operating system | Cross-platform |
Type | Scripting language |
License | PHP License 3.01 |
Website | www.php.net |
PHP is an open-source, reflective programming language. Originally designed as a high-level tool for producing dynamic web content, PHP is used mainly in server-side applications.
History
PHP was originally designed as a small set of Perl scripts, followed by a rewritten set of CGI binaries written in C by the Danish-Canadian programmer Rasmus Lerdorf in 1994 to display his résumé and to collect certain data, such as how much traffic his page was receiving. "Personal Home Page Tools" was publicly released on 8 June 1995 after Lerdorf combined it with his own Form Interpreter to create PHP/FI.
Zeev Suraski and Andi Gutmans, two Israeli developers at the Technion - Israel Institute of Technology, rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to the recursive acronym "PHP: Hypertext Preprocessor". The development team officially released PHP/FI 2 in November 1997 after months of beta testing. Public testing of PHP 3 began immediately and the official launch came in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend engine in 1999.[1] They also founded Zend Technologies in Ramat Gan, Israel, which has since overseen PHP development.
In May 2000, PHP 4, powered by the Zend Engine 1.0, was released.
On July 13 2004, PHP 5 was released, powered by Zend Engine II. PHP 5 includes new features such as PHP Data Objects and more performance enhancements taking advantage of the new engine.
Usage
When running server-side, the PHP model can be seen as an alternative to Microsoft's ASP.NET/C#/VB.NET system, Macromedia's ColdFusion, Sun Microsystems' JSP, Zope, mod_perl and the Ruby on Rails framework. To more directly compete with the "framework" approach taken by these systems, Zend are working on the Zend Framework - an emerging (as of June 2006) set of PHP building blocks and best practices.
The LAMP architecture has become popular in the Web industry as a way of deploying inexpensive, reliable, scalable, secure web applications. PHP is commonly used as the P in this bundle alongside Linux, Apache and MySQL. PHP can be used with a large number of relational database management systems, runs on all of the most popular web servers and is available for many different operating systems. This flexibility means that PHP has a wide installation base across the Internet; PHP is one of the most popular programming languages for implementing websites with over 20 million Internet domains using PHP[2].
Examples of popular server-side PHP applications include phpBB, Wordpress and MediaWiki.
More recently, PHP has been adapted to provide a command line interface, as well as GUI libraries such as GTK+ and text mode libraries like ncurses in order to facilitate development of a broader range of software. As PHP is higher-level than shell scripting, its use on the command line is more desirable for some automation tasks than shell scripting has traditionally been used for.
Syntax
PHP was originally designed to be used in conjunction with a web server, and acts as a filter which takes a file containing text and special PHP instructions and converts it to another form for display.
Here is a Hello World code example:
<?php echo 'Hello, World!'; ?>
The <?php ?> tags are delimiters which tell PHP to treat anything contained within as PHP code and to act on it.
A slightly less verbose "Hello World" program in PHP is:
<?='Hello, World!'?>
This example relies on PHP's 'short_open_tag' option being set to true. This may cause other problems in certain data — the character sequence <? is used to signify the start of other processing instructions such as the XML <?xml version="1.0" ?> header statement.
PHP ignores any text outside of its delimiter tags. Thus, the examples above are equivalent to the following text (and indeed are converted into this form):
Hello, World!
The primary use of this is to allow PHP statements to be embedded within HTML documents. PHP processes any delimited code in the page initially, thus handing the web server a file which consists entirely of HTML.
Variables are prefixed with a dollar symbol and no type need be specified in advance.
<?php $name = 'Peter'; echo "Hello $name"; ?>
PHP treats new lines as whitespace, in the manner of a free-form language (except when inside string quotes). Statements are terminated by a semicolon, except in a few special cases.
PHP has three types of comment syntax:
// comment -- is terminated at the first line break or PHP terminator (?>)
/* multi-line comment */
# comment -- this form is not often used
Data types
PHP stores whole numbers in a platform-dependent range. This range is typically that of 32-bit signed integers. Portable code should not assume that values outside this range can be represented in an integer variable. Integer variables can be assigned using decimal (positive and negative), octal and hexadecimal notations. Real numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of Scientific notation.
PHP has a native Boolean type, named "boolean", similar to the native Boolean types in Java and C++. Using the Boolean type conversion rules, non-zero values can be intepreted as true and zero as false, as in Perl and C.
The Null data type represents a variable that has no value. The only value in the Null data type is NULL.
Arrays are heterogeneous, meaning a single array can contain objects of more than one type:
$myArray = array('key 1' => 'string value 1', 2005, new StdClass(), array("I", "love", "arrays", "too"));
They can be used as ordered lists of only values and as hashes with keys and values, even simultaneously. When used as hashes (also referred to as associative arrays), the ordering of keys is preserved. They can also contain any type that PHP can handle, including resources, objects, and even other arrays.
Strings
Variables are evaluated inside double quotation marks, but not inside single quotation marks. Although it is not required, it is generally recommended to surround embedded variables in curly braces. Functions and other expressions are not evaluated inside double quotes
$myString = 'string' . myFunction() . 'rest of string';
$myString = "string{$myArray['key 1']}rest of string";
A period (.) concatenates strings and expressions together.
Resource
Variables of type "resource" represent references to resources from external sources. These are typically created by functions from a particular extension, and can only be processed by functions from the same extension. Examples include file, image and database resources.
Objects
Up until version 3, PHP had no object-oriented features. Basic object functionality was added in version 3. The same semantics were implemented in PHP 4 as well as pass-by-reference and return-by-reference for objects but the implementation still lacked the powerful and useful features of other object-oriented languages like C++ and Java.
PHP's handling of objects was completely rewritten for PHP 5, allowing for better performance and more features. In previous versions of PHP, objects were handled like primitive types. The drawback of this method was that semantically the whole object was copied when a variable was assigned, or passed as a parameter to a method. In the new approach, objects are referenced by handle, and not by value. PHP 5 introduced private and protected member variables and methods, along with abstract classes and abstract methods. It also introduced a standard way of declaring constructor and destructors similar to that of other object-oriented languages, such as C++.
PHP 4 had no exception handling. PHP 5 introduces an exception model similar to that of other programming languages.
It should be noted that the static method and class variable features in Zend Engine 2 do not work the way some expect. There is no virtual table feature in the Engine, so the static variables are bound with a name at compile time instead of with a reference.
Object Cloning
If the developer asks to create a copy of an object by using the reserved word clone, the Zend engine will check if a __clone()
method has been defined or not. If not, it will call a default __clone()
which will copy all of the object's properties. If a __clone()
method is defined, then it will be responsible to set the necessary properties in the created object. For convenience, the engine will supply a function that imports all of the properties from the source object, so that they can start with a by-value replica of the source object, and only override properties that need to be changed.
Resources
Libraries
PHP includes a large number of free and open-source libraries with the core build. PHP is a fundamentally Internet-aware system with modules built in for accessing FTP servers, many database servers, embedded SQL libraries like embedded MySQL and SQLite, LDAP servers, and others. Many functions familiar to C programmers such as the printf family are available in the standard PHP build.
PHP extensions exist which, among other features, add support for the Windows API, process management on Unix-like operating systems, cURL, and several popular compression formats. Some of the more unusual features are on-the-fly Macromedia Flash generation, integration with Internet relay chat, and generation of dynamic images (where the content of the image can be changed). Some additional extensions are available via the PHP Extension Community Library.
Source code encoders
Encoders offer some source code security and enable proprietary software by hindering source code reverse engineering. PHP scripts are compiled into native byte-code. The downside of this approach is that a special extension has to be installed on the server in order to run encoded scripts.
Support
PHP has a formal development manual that is maintained by the open source community. In addition, answers to most questions can often be found by doing a simple internet search. PHP users assist each other through various media such as chat, forums, newsgroups and PHP developer web sites. In turn, the PHP development team actively participates in such communities, garnering assistance from them in their own development effort (PHP itself) and providing assistance to them as well. There are many help resources available for the novice PHP programmer.
Criticism
Criticisms of PHP include those general criticisms ascribed to other scripting programming languages and dynamically typed languages. Some specific criticisms of PHP include the following:
- PHP does not enforce the declaration of variables prior to their use, and variables which have not been initialized can have operations (such as concatenation) performed on them; an operation on an uninitialized variable raises an E_NOTICE level error, but this is hidden by default.
- Method / function overloading is not allowed.
- PHP's type checking is so loose as to be occasionally unenforcable. Variables in PHP are not limited to one type. It is possible to assign an integer value to the variable $Q, then assign a string value, and then assign an array to it. This can often lead to difficult-to-debug code. Type checking using the == operator is not strict, however three equals (===) can be used to ensure a type match. In most languages the string "0" is not equivalent to the integer zero, which in turn is not equal to the value FALSE. Functions are also not allowed to (directly) force the types of their arguments. (PHP 5 improves on this, by adding the ability to force a function argument to be an array or an object of a certain class.) Some functions have inconsistent output, with statements like This function may return Boolean FALSE, but may also return a non-Boolean value which evaluates to FALSE, such as 0 or "". can be found in the documentation. This is related to PHP's dynamic typing.
- The number of built-in functions is said to be too numerous, with many functions performing the same actions, but with just slightly different data, results, etc. This is said to make it difficult to program in the language without the frequent consultation of a reference work. There are over 3,000 functions, sharing the same global namespace. Most functions are not enabled by default, but become available when PHP is linked against the required libraries. To mitigate this, function names are usually prefixed with their library name. Built-in function names have no standard form, with some employing underscores (e.g. 'strip_tags', 'html_entity_decode') while others do not (e.g. 'stripslashes', 'htmlentities'). Furthermore, some functions are verb_noun() while others are noun_verb() and some are prefixed_byModuleName while others use a module_suffix_scheme. Within sections of the built-in function selection there is little or no consistency regarding argument order (examples: order of subject array and other data for array handling functions, order of needle and haystack in various search functions).
- PHP contains a "magic quotes" feature which inserts backslashes into user input strings. The feature was introduced to prevent code written by beginners from being dangerous (such as in SQL injection attacks), but some criticize it for frequently causing improperly displayed text or encouraging beginners to write PHP which is vulnerable to injection attacks when used on a system with it turned off.
- If 'register_globals' is enabled in PHP's configuration file, PHP automatically puts the values of Post, Get, Cookie and Session Parameters into standard variables, which can be a significant security risk for scripts that assume those variables are undefined.
- Other languages, such as ASP.NET, include functionality to detect and clean harmful cross-site scripting or other malicious code automatically, whereas PHP does not. Even with register_globals disabled, PHP is susceptible to unsafe code and database injections if user-submitted data and variables are not properly filtered and validated. PHP's own detection capabilities in this respect may be seen as inferior to other scripting languages. This is potentially dangerous because PHP is relatively easy to learn, which means that developers may not have the prior experience necessary to write safe code. [citation needed]
- In the majority of cases, Linux and Unix webservers with PHP installed (using mod_php) typically run PHP scripts as "nobody", which can make file security in a shared hosting environment difficult. PHP's "Safe Mode" can emulate the security behavior of the OS to partially overcome this problem, but this is considered an imperfect solution.
- The many settings in the PHP interpreter's configuration file (php.ini) mean that code that works with one installation of PHP might not work with another. For example, if code is written to work with register_globals turned on, it won't work on another system that has register_globals turned off. This makes writing portable code more difficult as the only way to ensure compatibility is to assume that features will be unavailable.
- Some PHP extensions use libraries that are not threadsafe, so rendering with Apache 2's Multithreaded MPM (multi-processing module) may cause crashes.
- PHP does not have native support for Unicode or multibyte strings.
See also
Footnotes
- ^ a page at www.zend.com states that PHP 3 was powered by Zend Engine 0.5.
- ^ http://www.php.net/usage.php
References
- Jason E. Sweat. Guide to PHP Design Patterns. PHP|architect, 2005. ISBN 0973589825.
- Ilia Alshanetsky. Guide to PHP Security. PHP|architect, 2005. ISBN 0973862106.
- Chris Shiflett. Essential PHP Security. O'Reilly Media, 2005. ISBN 059600656X.
- Larry Ullman. PHP and MySQL for Dynamic Web Sites. Peachpit Press, 1st edition, 2003. ISBN 0321186486.
External links
- PHP website
- PHP Security Consortium — International group of PHP experts dedicated to promoting secure programming practices.
- WACT PHP Application Security Wiki — The Web Application Component Toolkit's wiki page on PHP security resources.
- Hardened PHP Project — Group of security experts developing a modification to PHP to protect it against known and unknown attacks.
- comp.lang.php newsgroup
- PHP mailing lists
- Practice PHP skills
- How to setup a custom PHP 404