…and one giant step for PHP security
While hosts are still undecided on whether to upgrade to PHP5 or not, the people pushing the limits of possibility are busy planning PHP6. PHP6 is mainly a cleanup of code and the addition of some object oriented features (and some other little bits which probably mean more to others than to me). Nevertheless in terms of security it’s something I’m already drooling over.
Every week several exploits are found in various applications made by PHP. Even given the vast number of applications (and therefore flaws) some problems can’t be blamed solely on the coder. At least for me there have always been functions I’m extremely careful of when I pass any parameter into. Now all this is going to be made simpler, safer, better.
Register globals are gone! No more detection and coding around it, or worse; no detection and getting your ass pawned. To be honest no one really has it on any more anymore and but I’ve still found it a major hassle. Specially when I’m helping people out who are used to having it on and suddenly have lost it.
Magic quotes are gone! Again, no hassle of detection. Instead we’ll have the input_filter extension which is so very much better.
Easier detection of MIME types. Should improve checking if those uploaded files are valid.
header() will only accept one header, hopefully virtually killing off HTTP response splitting attacks.
For full details about the April PHP6 meeting read the minutes.