Revision as of 13:07, 29 June 2006 edit83.67.139.17 (talk) →External links← Previous edit | Revision as of 14:42, 29 June 2006 edit undoTommyG (talk | contribs)Extended confirmed users3,164 editsm Not apropriateNext edit → | ||
Line 151: | Line 151: | ||
* newsgroup | * newsgroup | ||
* | * | ||
* | |||
] | ] |
Revision as of 14:42, 29 June 2006
Developer(s) | The PHP Group |
---|---|
Stable release | 5.1.4 / May 4, 2006 4.4.2 / January 13, 2006 |
Repository | |
Operating system | Cross-platform |
Type | Scripting language |
License | PHP License 3.01 |
Website | www.php.net |
PHP is an open-source, reflective programming language. Originally designed as a high-level tool for producing dynamic web content, PHP is used mainly in server-side applications.
History
PHP was originally designed as a small set of Perl scripts, followed by a rewritten set of CGI binaries written in C by the Danish-Canadian programmer Rasmus Lerdorf in 1994 to display his résumé and to collect certain data, such as how much traffic his page was receiving. "Personal Home Page Tools" was publicly released on 8 June 1995 after Lerdorf combined it with his own Form Interpreter to create PHP/FI.
Zeev Suraski and Andi Gutmans, two Israeli developers at the Technion - Israel Institute of Technology, rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to the recursive acronym "PHP: Hypertext Preprocessor". The development team officially released PHP/FI 2 in November 1997 after months of beta testing. Public testing of PHP 3 began immediately and the official launch came in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend engine in 1999. They also founded Zend Technologies in Ramat Gan, Israel, which has since overseen PHP development.
In May 2000, PHP 4, powered by the Zend Engine 1.0, was released.
On July 13 2004, PHP 5 was released, powered by Zend Engine II. PHP 5 includes new features such as PHP Data Objects and more performance enhancements taking advantage of the new engine.
Usage
PHP generally runs on a web server, taking PHP code as its input and creating Web pages as output.
When running server-side, the PHP model can be seen as an alternative to Microsoft's ASP.NET/C#/VB.NET system, Macromedia's ColdFusion, Sun Microsystems' JSP, Zope, mod_perl and the Ruby on Rails framework. To more directly compete with the "framework" approach taken by these systems, Zend is working on the Zend Framework - an emerging (as of June 2006) set of PHP building blocks and best practices.
The LAMP architecture has become popular in the Web industry as a way of deploying inexpensive, reliable, scalable, secure web applications. PHP is commonly used as the P in this bundle alongside Linux, Apache and MySQL. PHP can be used with a large number of relational database management systems, runs on all of the most popular web servers and is available for many different operating systems. This flexibility means that PHP has a wide installation base across the Internet; PHP is one of the most popular programming languages for implementing websites with over 20 million Internet domains using PHP.
Examples of popular server-side PHP applications include phpBB, Joomla, Wordpress and MediaWiki.
More recently, PHP has been adapted to provide a command line interface, as well as GUI libraries such as GTK+ and text mode libraries like ncurses in order to facilitate development of a broader range of software. As PHP is higher-level than shell scripting, its use on the command line is desirable for some automation tasks that shell scripting has traditionally been used for. As php includes functions for interfacing with command line, rapid uptake for server admin applications such as starting and stopping services, managing networked computers and the like has been seen.
Syntax
PHP was originally designed to be used in conjunction with a web server, and acts as a filter which takes a file containing text and special PHP instructions and converts it to another form for display.
Here is a Hello World code example:
<?php echo 'Hello, World!'; ?>
The <?php ?> tags are delimiters which tell PHP to treat anything contained within as PHP code and to act on it.
A slightly less verbose "Hello World" program in PHP is:
<?='Hello, World!'?>
This example relies on PHP's 'short_open_tag' option being set to true. This may cause other problems in certain data — the character sequence <? is used to signify the start of other processing instructions such as the XML <?xml version="1.0" ?> header statement.
PHP ignores any text outside of its delimiter tags. Thus, the examples above are equivalent to the following text (and indeed are converted into this form):
Hello, World!
The primary use of this is to allow PHP statements to be embedded within HTML documents. PHP processes any delimited code in the page initially, thus handing the web server a file which consists entirely of HTML.
Variables are prefixed with a dollar symbol and no type need be specified in advance. Variables are, subject to certain rules, evaluated in a string context.
PHP treats new lines as whitespace, in the manner of a free-form language (except when inside string quotes). Statements are terminated by a semicolon, except in a few special cases.
PHP has three types of comment syntax: it allows multi-line comments using the /* */ construction as in C, and also allows comments which terminate at the end of the line using the // and # characters (as in C++ and Perl respectively).
Data types
PHP stores whole numbers in a platform-dependent range. This range is typically that of 32-bit signed integers. Portable code should not assume that values outside this range can be represented in an integer variable. Integer variables can be assigned using decimal (positive and negative), octal and hexadecimal notations. Real numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of Scientific notation.
PHP has a native Boolean type, named "boolean", similar to the native Boolean types in Java and C++. Using the Boolean type conversion rules, non-zero values can be intepreted as true and zero as false, as in Perl and C.
The Null data type represents a variable that has no value. The only value in the Null data type is NULL.
Arrays are heterogeneous, meaning a single array can contain objects of more than one type. They can contain any type that PHP can handle, including resources, objects, and even other arrays. Order is preserved in lists of values and in hashes with both keys and values, and the two can be intermingled.
Variables of type "resource" represent references to resources from external sources. These are typically created by functions from a particular extension, and can only be processed by functions from the same extension. Examples include file, image and database resources.
Objects
Up until version 3, PHP had no object-oriented features. Basic object functionality was added in version 3. The same semantics were implemented in PHP 4 as well as pass-by-reference and return-by-reference for objects but the implementation still lacked the powerful and useful features of other object-oriented languages like C++ and Java.
PHP's handling of objects was completely rewritten for PHP 5, allowing for better performance and more features. In previous versions of PHP, objects were handled like primitive types. The drawback of this method was that semantically the whole object was copied when a variable was assigned, or passed as a parameter to a method. In the new approach, objects are referenced by handle, and not by value. PHP 5 introduced private and protected member variables and methods, along with abstract classes and abstract methods. It also introduced a standard way of declaring constructor and destructors similar to that of other object-oriented languages, such as C++.
PHP 4 had no exception handling. PHP 5 introduces an exception model similar to that of other programming languages.
It should be noted that the static method and class variable features in Zend Engine 2 do not work the way some expect. There is no virtual table feature in the Engine, so the static variables are bound with a name at compile time instead of with a reference.
If the developer asks to create a copy of an object by using the reserved word clone, the Zend engine will check if a __clone()
method has been defined or not. If not, it will call a default __clone()
which will copy all of the object's properties. If a __clone()
method is defined, then it will be responsible to set the necessary properties in the created object. For convenience, the engine will supply a function that imports all of the properties from the source object, so that they can start with a by-value replica of the source object, and only override properties that need to be changed.
Resources
Libraries
Main article: List of PHP librariesPHP includes a large number of free and open-source libraries with the core build. PHP is a fundamentally Internet-aware system with modules built in for accessing FTP servers, many database servers, embedded SQL libraries like embedded MySQL and SQLite, LDAP servers, and others. Many functions familiar to C programmers such as the printf family are available in the standard PHP build.
PHP extensions exist which, among other features, add support for the Windows API, process management on Unix-like operating systems, cURL, and several popular compression formats. Some of the more unusual features are on-the-fly Macromedia Flash generation, integration with Internet relay chat, and generation of dynamic images (where the content of the image can be changed). Some additional extensions are available via the PHP Extension Community Library.
Source code encoders
Encoders offer some source code security and enable proprietary software by hindering source code reverse engineering. PHP scripts are compiled into native byte-code. The downside of this approach is that a special extension has to be installed on the server in order to run encoded scripts.
All-In-One Installers
As installing Apache and configuring it for php can be a daunting task under any OS, a number of open source projects aiming to create an 'all-in-one' installer for apache with php, mysql (as it is commonly used for portal systems requiring a backend), and possibly an FTP and mail server. A number of packages like this are available, however XAMPP and WAMP are most commonly used for installing a default configuration of these on Windows. It is to be noted, however, that these packages are by no means secure and are not recommended for production servers.
This is simply due to, as noted in the installation of each and on php.net, none of these installers are endorsed by PHP.net, and the developement team believes that manual installation is best for security. This is a view share by developers of such installers, and the XAMPP control panel (available at http://localhost/xampp after installation) is full of security warnings about running web servers on Windows. As part of the same project as XAMPP, LAMP was designed to give Linux users this ease of installation as well, however due to the complexity of variation between distributions it is recommended configuring apache for php manually under linux. See Comparison of WAMPs. Those installing Apache manually will also find warnings about Apache being unstable under Windows throughout the installation process. See apache.org.
Support
PHP has a formal development manual that is maintained by the open source community. In addition, answers to most questions can often be found by doing a simple internet search. PHP users assist each other through various media such as chat, forums, newsgroups and PHP developer web sites. In turn, the PHP development team actively participates in such communities, garnering assistance from them in their own development effort (PHP itself) and providing assistance to them as well. There are many help resources available for the novice PHP programmer.
Criticism
Criticisms of PHP include those general criticisms ascribed to other scripting programming languages and dynamically typed languages. Some specific criticisms of PHP include the following:
- PHP does not enforce the declaration of variables prior to their use, and variables which have not been initialized can have operations (such as concatenation) performed on them; an operation on an uninitialized variable raises an E_NOTICE level error, but this is hidden by default.
- Method / function overloading is not allowed (Obsolete since PHP5).
- PHP's type checking is so loose as to be occasionally unenforceable. Variables in PHP are not limited to one type. It is possible to assign an integer value to the variable $Q, then assign a string value, and then assign an array to it. This can often lead to difficult-to-debug code. Type checking using the == operator is not strict, necessitating the === operator to ensure a type match. Functions are also not allowed to (directly) force the types of their arguments (PHP 5 improves on this, by adding the ability to force a function argument to be an array or an object of a certain class). Some functions have inconsistent output, with functions intended to return Boolean FALSE also returning non-Boolean values which evaluate to FALSE, such as 0 or "".
- PHP has no namespace support, with all PHP functions share the same global namespace. The standard function library is criticised for its size and lack of internal consistency - There are over 3,000 "built-in" functions in the standard PHP distribution, with many only becoming available when PHP is linked against the required libraries. Many functions perform the same actions, but with slightly different input or results or syntax; there is little internal consistency regarding function argument order; functions have no standard naming convention, with use of underscores in names, verb/noun ordering and reference to parent libraries varying heavily. This is said to make it difficult to program in the language without the frequent consultation of a reference work.
- PHP contains a "magic quotes" feature which inserts backslashes into user input strings. The feature was introduced to prevent code written by beginners from being dangerous (such as in SQL injection attacks), but some criticize it for frequently causing improperly displayed text or encouraging beginners to write PHP which is vulnerable to injection attacks when used on a system with it turned off. (Obsolete in PHP6)
- If 'register_globals' is enabled in PHP's configuration file, PHP automatically puts the values of Post, Get, Cookie and Session Parameters into standard variables, which can be a significant security risk for scripts that assume those variables are undefined. Other languages, such as ASP.NET, include functionality to detect and clean harmful cross-site scripting or other malicious code automatically, whereas PHP does not. (Obsolete in PHP6)
- In the majority of cases, Unix-like webservers with PHP installed (using mod_php) typically run PHP scripts as "nobody", which can make file security in a shared hosting environment difficult. PHP's "Safe Mode" can emulate the security behavior of the OS to partially overcome this problem, but this is considered as an imperfect solution.
- The many settings in the PHP interpreter's configuration file (php.ini) mean that code that works with one installation of PHP might not work with another. For example, if code is written to work with register_globals turned on, it won't work on another system that has register_globals turned off. This makes writing portable code more difficult as the only way to ensure compatibility is to assume that features will be unavailable.
- Some PHP extensions use libraries that are not threadsafe, so rendering with Apache 2's Multithreaded MPM (multi-processing module) may cause crashes.
- PHP does not have native support for Unicode or multibyte strings (Obsolete in PHP6).
See also
Footnotes
- a page at www.zend.com states that PHP 3 was powered by Zend Engine 0.5.
- http://www.php.net/usage.php
References
- Jason E. Sweat. Guide to PHP Design Patterns. PHP|architect, 2005. ISBN 0973589825.
- Ilia Alshanetsky. Guide to PHP Security. PHP|architect, 2005. ISBN 0973862106.
- Chris Shiflett. Essential PHP Security. O'Reilly Media, 2005. ISBN 059600656X.
- Larry Ullman. PHP and MySQL for Dynamic Web Sites. Peachpit Press, 1st edition, 2003. ISBN 0321186486.
External links
- PHP website
- PHP manual
- PHP Security Consortium — International group of PHP experts dedicated to promoting secure programming practices.
- WACT PHP Application Security Wiki — The Web Application Component Toolkit's wiki page on PHP security resources.
- Hardened PHP Project — Group of security experts developing a modification to PHP to protect it against known and unknown attacks.
- comp.lang.php newsgroup
- PHP mailing lists