|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
刚开始因为习惯于ASP格式的写法,总是在这些方面出现问题,自己还总是找不到问题所在,这就提醒了自己,在写代码的时候一定要认真,不能粗心地老是少个“;”或者字母大小写不分,要不然很可能找半天都找不到错误。 PHP 4.1.0 Release Announcement
PHP 4.1.0 出书通知布告(1)
After a lengthy QA process, PHP 4.1.0 is finally out.
Download at http://www.php.net/downloads.php !
PHP 4.1.0 includes several other key improvements:
- A new input interface for improved security (read below)
一个新的输出界面来进步平安性
- Highly improved performance in general
极大进步了功能
- Revolutionary performance and stability improvements under
Windows. The multithreaded server modules under Windows (ISAPI,
Apache, etc.) perform as much as 30 times faster under load! We
want to thank Brett Brewer and his team in Microsoft for working
with us to improve PHP for Windows.
Windows 下反动性的功能和不乱性。多线程办事器模块供应了快30倍的功能。
- Versioning support for extensions. Right now it's barely being
used, but the infrastructure was put in place to support separate
version numbers for different extensions. The negative side effect
is that loading extensions that were built against old versions of
PHP will now result in a crash, instead of in a nice clear message.
Make sure you only use extensions built with PHP 4.1.0.
扩大翻译撑持,如今他还很罕用到,然而放置了基本机关来撑持某些分歧版本号的扩大模块。负面影响是他和老版本的扩大模块抵触。你需求肯定利用了 php4.1.0的扩大模块。
- Turn-key output compression support
撑持 Turn-key 输入紧缩
- *LOTS* of fixes and new functions
修改了良多中央,增添了很多函数。
As some of you may notice, this version is quite historical, as it's
the first time in history we actually incremented the middle digit! :)
The two key reasons for this unprecedented change were the new input
interface, and the broken binary compatibility of modules due to the
versioning support.
{没看懂!!呵呵!今后看懂了再翻译}
Following is a description of the new input mechanism. For a full
list of changes in PHP 4.1.0, scroll down to the end of this section.
上面是新的输出机制的描写。完全的更改列表请看前面
-----------------------------------
SECURITY: NEW INPUT MECHANISM
平安:新的输出机制
First and foremost, it's important to stress that regardless of
anything you may read in the following lines, PHP 4.1.0 *supports*
the old input mechanisms from older versions. Old applications
should go on working fine without modification!
起首,也是最主要的,必需强调对上面内容足够正视长短常主要的。php 4.1.0 撑持旧的输出机制。老的使用法式依然可以运转,不必修正。
Now that we have that behind us, let's move on :)
上面是内容
For various reasons, PHP setups which rely on register_globals
being on (i.e., on form, server and environment variables becoming
a part of the global namespace, automatically) are very often
exploitable to various degrees. For example, the piece of code:
因为各类缘由,PHP需求设置 register_globlas ON(例如在标单,办事器,情况变量主动成为全局定名空间的一局部),他们常常被分歧水平的搅扰。上面是一段代码:
<?php
if (authenticate_user()) {
$authenticated = true;
}
...
?>
May be exploitable, as remote users can simply pass on 'authenticated'
as a form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this misfeature.
可以经由过程表单外面传送 authenticated 变量来棍骗,即便 authenticate_user()前往false,$authenticated 依然被设置为true.这只是一个十分复杂的例子,实践上,相当多的法式被相似的毛病特征棍骗
While it is quite possible to write secure code in PHP, we felt that the
fact that PHP makes it too easy to write insecure code was bad, and we've
decided to attempt a far-reaching change, and deprecate register_globals.
Obviously, because the vast majority of the PHP code in the world relies
on the existence of this feature, we have no plans to actually remove it
from PHP anytime in the foreseeable future, but we've decided to encourage
people to shut it off whenever possible.
固然,完整可以书写平安的PHP代码,咱们感觉现实上,PHP使得书写不平安代码变得十分轻易长短常糟的工作。咱们决意测验考试一个 far-reaching 改动。否决 register_globals.很明显,因为多半代码依附于这个特点,咱们没有举措在未来的某个时辰真正删除它。然而咱们决意勉励人们封闭它
To help users build PHP applications with register_globals being off,
we've added several new special variables that can be used instead of the
old global variables. There are 7 new special arrays:
为了在封闭 register_globals 情形下匡助用户创立 PHP 使用法式,咱们增添了一些新的特别变量来取代老的全局变量利用。他们是7个新的特别数组:
$_GET - contains form variables sent through GET
包括着经由过程GET发来的变量
$_POST - contains form variables sent through POST
包括着经由过程POST发送来的变量
$_COOKIE - contains HTTP cookie variables
包括着HTTP cookie 的变量
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
包括着办事器变量(如 REMOTE_ADDR)
$_ENV - contains the environment variables
包括着情况变量
$_REQUEST - a merge of the GET variables, POST variables and Cookie variables.
In other words - all the information that is coming from the user,
and that from a security point of view, cannot be trusted.
是 GET/POST/Cookie 变量的纠合,也就是说,一切的来自用户和平安表单的信息。然而从平安角度来看,不克不及够信赖它们。
$_SESSION - contains HTTP variables registered by the session module
包括着一切session模块注册的HTTP变量
Now, other than the fact that these variables contain this special information,
they're also special in another way - they're automatically global in any
scope. This means that you can access them anywhere, without having to
'global' them first. For example:
如今,现实上这些变量包括着特别的信息,他们在任何情况下一样是主动的全局变量。也就是说你可以在任何中央存取他们,不需求全局化他们。例如:
function example1()
{
print $_GET["name"]; // works, 'global $_GET;' is not necessary!
//不需求声明 $_GET 是全局变量
}
would work fine! We hope that this fact would ease the pain in migrating
old code to new code a bit, and we're confident it's going to make writing
new code easier. Another neat trick is that creating new entries in the
$_SESSION array will automatically register them as session variables, as
if you called session_register(). This trick is limited to the session
module only - for example, setting new entries in $_ENV will *not* perform
an implicit putenv().
运转的很好。咱们但愿这个情形可使得旧代码移植可以轻易一些,咱们确信它能使书写新代码更轻易。别的一个诀窍是创立新的 $_SESSION 数组进口会主动注册他们为session b变量,就仿佛挪用 session_register()一样。这个诀窍仅合用于 session 模块。例如,设置新的 $_ENV 进口不会隐含履行 putenv()。
PHP 4.1.0 still defaults to have register_globals set to on. It's a
transitional version, and we encourage application authors, especially
public ones which are used by a wide audience, to change their applications
to work in an environment where register_globals is set to off. Of course,
they should take advantage of the new features supplied in PHP 4.1.0 that
make this transition much easier.
PHP 4.1.0 默许仍是设置 register_globals 为On,她是过渡版本,咱们法式做着,出格是被普遍承受的,改动他们的使用法式,使得在 register_globals 为 off 情形下也能任务。固然,他们需求利用 PHP 4.1.0 的新特点来使得转换更轻易些。
As of the next semi-major version of PHP, new installations of PHP will
default to having register_globals set to off. No worries! Existing
installations, which already have a php.ini file that has register_globals
set to on, will not be affected. Only when you install PHP on a brand new
machine (typically, if you're a brand new user), will this affect you, and
then too - you can turn it on if you choose to.
鄙人一个不完整版本力,将会魔人设置 register_globals 为off.不必忧虑,已装置好的,php.ini 外面已设置 register_globals 为on 的,不会遭到影响。只要在你装置php为一个新机械时(通常为一个新用户)才会影响你,你可以选择翻开它。
Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names
still work, but we encourage users to switch to the new shorter, and
auto-global versions.
注重:这些数组中的几个有老的名字,例如 $HTTP_GET_VARS. 这些名字仍然任务。咱们建议利用新的更短的主动全局化的变量。
Thanks go to Shaun Clowes (shaun@securereality.com.au) for pointing out this
problem and for analyzing it.
-------------------------------------
FULL LIST OF CHANGES
完全的改动列表
10 Dec 2001, Version 4.1.0
- Worked around a bug in the MySQL client library that could cause PHP to hang
when using unbuffered queries. (Zeev)
处置了在MySQL客户端库里利用未缓冲的查询引发PHP挂起的成绩。
- Fixed a bug which caused set_time_limit() to affect all subsequent requests to running Apache child process. (Zeev)
修改了使得set_time_limit()影响一切的子恳求来运转Apache子历程的成绩
- Removed the sablotron extension in favor of the new XSLT extension. (Sterling)
去失落了 sablotron 模块,利用新的 XSLT 扩大模块
- Fixed a bug in WDDX deserialization that would sometimes corrupt the root element if it was a scalar one. (Andrei)
修改了 WDDX 反序列化时假如是标量能够损坏根元素的成绩
- Make ImageColorAt() and ImageColorsForIndex() work with TrueColor images. (Rasmus)
使得 ImageColorAt 和 ImageColorsForIndex()可以任务于 TryeColor 图象
- Fixed a bug in preg_match_all() that would return results under improper indices in certain cases. (Andrei)
修改了preg_match_all()在某些情形下前往不得当索引的了局
- Fixed a crash in str_replace() that would happen if search parameter was an array and one of the replacements resulted in subject string being empty. (Andrei)
修改了一个str_replace()的隐患,在搜刮参数是一个数组,前提字符串交换了局中的一个是空的时分产生。
- Fixed MySQL extension to work with MySQL 4.0. (Jani)
修改了 MySQL 扩大模块,可以任务于 MySQL 4.0
- Fixed a crash bug within Cobalt systems. Patch by tomc@tripac.com. (Jani)
修改了一个 Cobalt 体系力的破绽
- Bundled Dan Libby's xmlrpc-epi extension.
绑缚了 Dan Libby 的 xmlrpc-epi 扩大模块
- Introduced extension version numbers. (Stig)
引入了很多扩大模块
- Added version_compare() function. (Stig)
增添了 version_compare() 函数
- Fixed pg_last_notice() (could cause random crashes in PostgreSQL applications, even if they didn't use pg_last_notice()). (Zeev)
修改了 pg_last_notice()(能够在 PostgreSQL 使用法式引发随机的溃散,即便没有利用这个函数
- Fixed DOM-XML's error reporting, so E_WARNING errors are given instead of E_ERROR error's, this allows you to trap errors thrown by DOMXML functions. (Sterling)
修改了 DOM-XML 的毛病呈报, 利用 E_WARNING 毛病取代 E_ERROR 的毛病。这让你可使用 DOMXML 函数捕获异常
- Fixed a bug in the mcrypt extension, where list destructors were not properly being allocated.(Sterling)
修改了 mcrypt 扩大的毛病,列表析构没有准确的定位
- Better Interbase blob, null and error handling. (Patch by Jeremy Bettis)
更好的 Intercase 的 blob,null 和 毛病处置
- Fixed a crash bug in array_map() if the input arrays had string or non-sequential keys. Also modified it so that if a single array is passed, its keys are preserved in the resulting array. (Andrei)
修改了 array_map() 在输出数组有字符串或不一连关头字的溃散毛病。同时修正了在传递单个数组时,了局数组将保存她的关头字。
- Fixed a crash in dbase_replace_record. (Patch by robin.marlow@dps-int.com)
修改了 dbase_replace_record 的缺点
- Fixed a crash in msql_result(). (Zeev)
修改了 msql_result() 的一个缺点
熟悉了PHP和MYSQL开发的要领之后,再回头看你写的那个留言本,你也许会怀疑那真的是你写的吗?当然,如果屋里还有鬼的话,也许是它写的-_- |
|