register_globals
: old
http://your.server/script.php?foo=bar
register_globals
register_globals
: old
http://your.server/script.php?foo=bar
register_globals
: old
http://your.server/script.php?foo=bar
echo 'Hello '.htmlspecialchars($foo);
register_globals
: old
if ($admin) {
// God mode!
}
register_globals
: old
http://your.server/script.php?admin=1
if ($admin) {
// God mode!
}
register_globals
: new
http://your.server/script.php?foo=bar
echo 'Hello '.htmlspecialchars($_GET['foo']);
register_globals
: bad option
extract($_REQUEST);
register_globals
: better option$_REQUEST
magic_quotes_gpc
http://your.server/script.php?foo=double+quote+"
http://your.server/script.php?foo=double+quote+"
$_GET['foo']:
double quote \"
addslashes()
foreach (array($_GET, $_POST, $_COOKIE) as &$a) {
array_walk($a, function (&$v, $k) {
return addslashes($v);
});
}
addslashes()
addslashes()
addslashes()
mysql_escape_string()
addslashes()
mysql_escape_string()
mysql_real_escape_string()
addslashes()
mysql_escape_string()
mysql_real_escape_string()
PDO::prepare()
, mysqli::prepare()
0x5c
\'
is 0x5c 0x27
0xbf 0x5c
is 縗
http://your.server/script.php?foo=%bf%27;DROP DATABASE mysql;--
縗';DROP DATABASE mysql;--
縗
isn't an escape charactermod_itk
, suPHP
php-fpm
$foo = 'bar';
session_register('foo');
if (session_is_registered('foo')) {
session_unregister('foo');
}
$_SESSION['foo'] = 'bar';
if (isset($_SESSION['foo'])) {
unset($_SESSION['foo']);
}
$dbh = sqlite_open('my.db');
$rst = sqlite_query('SELECT * FROM t');
if ($rst) {
$row = sqlite_fetch_array($rst);
} else {
echo 'Query failed';
}
ext/sqlite3
$dbh = new SQLite3('my.db');
$rst = $dbh->query('SELECT * FROM t');
if ($rst) {
$row = $rst->fetchArray();
} else {
echo 'Query failed';
}
$dbh = new PDO('sqlite:'.realpath('my.db'));
$rst = $dbh->query('SELECT * FROM t');
if ($rst) {
$row = $rst->fetch();
} else {
echo 'Query failed';
}
function func($f) {
$f = 42;
}
$foo = 6 * 9;
func(&$foo);
function func(&$f) {
$f = 42;
}
$foo = 6 * 9;
func($foo);
Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier.
date.timezone
in php.ini
or call date_default_timezone_set()
default_charset
is now UTF-8
header('Content-Type: text/html; charset=UTF-8');
E_ALL
now includes E_STRICT
and E_DEPRECATED
crypt()
$2a$
)0xff
only$2x$
keeps old, buggy behaviourereg
survived in 5.4, but is still deprecatedext/mysql
(functions beginning with mysql_
) is soft deprecated; will be really deprecated in 5.5
trait Hello {
public function hello() { echo "Hello!"; }
}
class Greeter {
use Hello;
}
class Greeter {
public function hello() { echo "Hello!"; }
}
trait Hello {
public function hello() { echo "Hello!"; }
}
class Greeter {
use Hello;
}
$greeter = new Greeter;
$greeter->hello();
Hello!
class Greeter {
public function say() { echo "Hello!\n"; }
}
class Fareweller {
public function say() { echo "Goodbye!\n"; }
}
class Greeter {
public function say() { echo "Hello!\n"; }
}
class Fareweller {
public function say() { echo "Goodbye!\n"; }
}
$say = function () { return $this->say(); };
class Greeter {
public function say() { echo "Hello!\n"; }
}
class Fareweller {
public function say() { echo "Goodbye!\n"; }
}
$say = function () { return $this->say(); };
$hello = $say->bindTo(new Greeter);
$goodbye = $say->bindTo(new Fareweller);
$hello(); $goodbye();
Hello!
Goodbye!
$temp = arrayFunction();
$value = $temp['key'];
$temp = arrayFunction();
$value = $temp['key'];
$value = arrayFunction()['key'];
$list = array(1, 2, 3);
$assoc = array('a' => 1, 'b' => 2, 'c' => 3);
$list = array(1, 2, 3);
$assoc = array('a' => 1, 'b' => 2, 'c' => 3);
$list = [1, 2, 3];
$assoc = ['a' => 1, 'b' => 2, 'c' => 3];
$temp = new DateTime();
$temp->format('r');
$temp = new DateTime();
$temp->format('r');
(new DateTime())->format('r');
5.3.8 | 5.4.0 RC1 | δ | |
---|---|---|---|
Wordpress | 7.02 | 7.28 | 3.70% |
Drupal | 7.07 | 7.17 | 1.41% |
Joomla! | 5.99 | 5.73 | -4.34% |
SilverStripe | 8.25 | 8.67 | 5.09% |
<?=
always available0b101010 === 42
callable
type hintmake test
results