In every issue we bring you the latest news from the PHP, Zend Engine and PEAR development mailing lists, including new features, important bug fixes, notable PEAR package releases, interesting active discussions and more.
PHP News
Security Advisory: CGI vulnerability in PHP 4.3.0
If you have been using the CGI version of PHP 4.3.0, it is *highly* recommended that you upgrade to version 4.3.1. The vulnerability allows an attacker to read any file that is readable by the user under where the webserver runs. This could potentially allow the execution of arbitrary PHP code.
Dealing with newbies...
The quantity of people asking newbie questions on the internals list seems to be increasing again lately. Since the typical php-dev persons life is far too busy to deal with these questions, a number of suggestions have been made on how to prevent newbies from asking their questions in the wrong place. They are:
- Charge $100 per PHP license
- Make the list moderated, but allow those with CVS accounts to post freely
- Change the name of the developers list to php-internals@lists.php.net
- IMO, the second of these is more likely to happen, if anything, although in another thread there was quite strong resistance to moderating the list (see later!).
zend_timeout and the SIGPROF signal
There have been some slight concerns about the way that the max_execution_time setting is implemented on the UNIX platform. Wojtek Meler is concerned that there is a risk of resources being left in an undefined state, perhaps causing a deadlock.
This should not affect a well-written PHP extension though, as PHP has a well defined resource management system that will correctly release any resources that were used.
Zeev Suraski and Thies Arntzen have apparently discussed this issue in the past, and Zeev is working towards a solution.
Next generation ext_skel - ext_skel_ng
Hartmut Holzgraefe announced the general availability of his re-written-from-scratch utility to generate the framework for PHP extensions. This new version will take your function definitions from an XML file and generate the C source code with skeleton PHP functions, header files, UNIX configuration scripts and even a windows .dsp project file!
New Date extension
Pierre-Alain Joye announced his work in progress on a new Date extension for PHP 5. The intention is to provide a fast native date/time manipulation library for PHP in which dates are represented as resources/objects.
New tzfile and OpenSSL socket extension
David Gillies announces that he wishes to make his tzfile extension (that can be used to determine historical timezone offsets from UTC) and a low-level wrapper for 80 routines in the OpenSSL library such that it can be used to communicate with SSL/TLS enabled servers. This extension is intentionally incompatible with the new PHP Streaming API to aid people porting code from C/C++ to PHP.
New mySQL Extension for PHP5 and mySQL 4.1
Georg Richter announced his new extension for mySQL 4.1. The new mysqli extension is not backwards compatible with the original mysql extension as it is designed to act as a simple more maintainable wrapper around the API exposed by the new version of mySQL. Some of the features include:
- OO and plain interface
- Database Connections can use SSL
- prepare/execute SQL statements for greater performance
- Support for bigints
- Support for replication
Alternative Apache2 SAPI
Justin Erankrantz had the amazing stroke of genius of implementing PHP support under Apache2 using the good old fashioned handler approach rather than as a filter. Why this didn't occur to anyone else before, we're not quite sure, but it means that PHP should be much more stable when used in conjunction with Apache 2
Sunrise, Sunset
Moshe Doron, a contributor to the calendar extension proposed two new functions that calculate the time of the sun-rise and sun-set on a particular date. There was a generally warm response, although some discussion on what to name these functions took place.
Moshe suggested sun_rise() and sun_set(), which caused a few chuckles (as it implies the existence of other functions that operate on the sun), but finally it was agreed that date_sunrise() and date_sunset() were appropriate names.
The secret PHP 5 Mailing List
There was some (unnecessary) outrage by a few individuals when it was discovered that a number of core developers had been corresponding with each other and discussing issues related to the implementation of PHP 5 using a private mailing list.
The concern was that key decisions were being made without the input of the wider range of developers subscribed to the php-dev list, and the fear was that the development of PHP was turning into a closed process.
However, the decision to correspond in private was made because php-dev was getting increasingly noisy, and important discussions were getting lost in that noise. One of the contributing factors to this noise are the non-developers on the php-dev list who believe they are qualified to make important decisions, when they do not even have an understanding of either the Zend Engine or other PHP infrastructure.
So, after much wasted time on needless discussion (which was what we set out to avoid), php5-dev is now a moderated list visible to the public (via news.php.net).
Reducing the number of system calls for includes
Rasmus Lerdorf noted that PHP appears to make a very large number of system calls each time a file is included in a script. He is particularly interested in squeezing every last ounce of performance out of PHP for use at Yahoo! (where it *really* matters).
The key issue is that under FreeBSD these system calls are much slower than they are under Linux. PHP makes these calls in order to ensure that include_once and require_once work reliably.
CVS Account Requests
This installment's round up of CVS account requests includes a large number of new people helping to translate the extensive online PHP manual, and quite a few developers working on PEAR classes and PECL extensions.
In addition to those people we also have had our (usual) share of less-serious requests from people that are either unsure of what a CVS account really means, or just want to have one of these nice looking myname@php.net email addresses. Well, finally, someone had the guts to admit it:
From: Brian Fraval:
Subject: CVS Account Request: hitweb
Because I want a mail @php.net.
And I want help you for translating the documentation.
New Abstract Data Type Extension
Sterling Hughes announces that his ADT extension is now in an alpha state and ready for people to provide feedback and testing. ADT is a PHP extension that provides a collection of Abstract Data Types (ADT), including trees, graphs, queues, heaps, sets and stacks.
You can find more information about ADT at
www.php.net/~sterling/adt/ Request Data Filter
Rasmus Lerdorf proposed a mechanism that allows PHP extensions to hook into the part of PHP that creates the $_REQUEST, $_GET, $_POST and $_COOKIE variables. Extensions will be able to filter and manipulate these variables before they are passed into the script itself; this provides a simple but effective way to prevent XSS attacks.
PEAR News
PEAR Out of Beta
After a very long waiting period, the PEAR Team has released version 1.0 of the PEAR installer and base classes. The release also includes some minor changes. PEAR 1.0.1 was relesed a few weeks later and contains bug fixes.
New PEAR Resources Site
Pierre-Alain Joye has announced a new website containing tutorials and guides for PEAR. The tutorials are in English and French (German translations will follow soon). If you wish to help by writing or translating please contact Pierre-Alain.
www.pearfr.org Mono PECL Extension
Sterling Hughes has announced the Mono extension written by him and added it to the PECL repository. Using the extension you can access Mono assemblies.
www.go-mono.org Installing PEAR on Windows
Many users complained about the lack of PEAR in the windows version of PHP 4.3.0. This was a result of misunderstanding between the PEAR development team and the Windows package maintainers. PEAR will be included in the PHP 4.3.2 Windows package. In the mean time, Windows users can use the go-pear script to install PEAR on their systems:
php -n -q -r "include('http://go-pear.org');"
phpDocumentor News
The phpDocumentor developers have announced that the peardoc2 to phpDocumentor converter is now ready for testing. If you wish to test it, you can fetch the latest sources using anonymous CVS. The phpDocumentor effort helps a lot in improving the current PEAR documentation and adding documentation for packages that lack it. Instructions can be found at:
www.phpdoc.org IT[X] Patches
Alexey Borzov suggested some patches to the IT[X] package, this was followed by a big fight about backwards compatibality and other issues. One of the ideas brought up in the discussion/fight was to fork IT[X] and include Alexey's modifications and additions in it. A final decision hasn't been made yet.
Auth_SOAP Container For Auth
The Auth_SOAP Container proposed by Bruno Pedro can be used to fetch the authentication data from a SOAP service.
Proposed Packages
Net_IMAP
Damian Alejandro Fernandez Sosa has proposed the Net_IMAP package for inclusion into the PEAR repository. The package features an implementation of the IMAP protocol in pure PHP, so it doesn't depend on the IMAP extension. It also provides some functionality that the extension lacks.
Net_LMTP
Another package proposed by Damian was Net_LMTP, an implementation of the Local Mail Transfer Protocol, as described in RFC 2033. It is based upon Net_SMTP and has a similiar API.
Time
Leandro Lucarella has proposed the Time package for inclusion. This package provides an API for calculating time differences, comparing times and more. Pierre Alain-Joye asked the author if it's possible to merge the class into the Date package. Again, no final decision has been made yet.
HTTP_Session
Alexandar Radivanovich has proposed an HTTP_Session package for handling HTTP Sessions. Several developers have voted in favour of including it and it should be added soon.
Crypt_DES
Tim Thorpe has proposed his Crypt_DES package, which implements DES (Data Encryption Standard) encryption and decryption. It includes both a wrapper to the mcrypt extension and an implementation in PHP.
LDAP_DataObject
Alan Knowels, the author of the popular DB_DataObject has proposed his LDAP_DataObject package, based on the DB_DataObject package. An example is available at:
devel.akbkhome.com/LDAP_DataObject/demo.php.txt Notable Package Releases
If several versions of a package have been released, only the latest is listed.
PEAR 1.0.1, Auth 1.2.0, HTML_QuickForm 2.9, Cache 1.5.3, Log 1.6.0, HTML_TreeMenu 1.1.4, DB 1.4b1, apd 0.4p2, Archive_Tar 1.0, Net_FTP 0.9, DB_DataObject 0.14, imagick 0.9.5, phpDocumentor 1.2.0beta3.
Zend Engine News
"Final" methods
Marcus Börger has been campaigning to have "final" methods introduced into the new OO model in PHP5. Those from a Java backround will remember that final methods are methods that can never be overridden in descendant classes.
Zeev Suraski and others didn't really feel that final methods have a place in PHP, but can see that it is useful, even if it is not something that the majority of people will use. Zeev is implementing it even as I type this paragraph.
Object IDs
Sebastian Bergmann requested that there be a new function to return a unique identifier for objects that could be used as a hash key. This is useful when you keep a list of objects and later want to remove a specific object from the hash.
One way to implement this would be to return the internal object handle, but there were some concerns about the safety of exposing pointers at the script level. In addition, it seems that it is not quite so straight-forward to get a unique identifier for an object. The issue is still open.
Goodbye Nested Classes, Hello namespaces
The list was taken by surprise when Stanislav Malyshev committed this unexpected change; PHP 5 now implements a real namespace model, rather than a hack using nested classes. The key features of namespaces are:
The new "namespace" element will be able to contain classes, functions, variables and constants.
There will be only one level of namespaces (so they cannot nest). Namespaces may include a single colon character, so that you get the same psychological effect as having real nested namespaces. Examples of valid names are 'PEAR', 'PEAR:DB' and 'PEAR:DB:MySQL'. The colon character does not imply any special relationship between these namespaces.
Code within a namespace element will resolve symbols within that namespace before checking at the global scope.
You can modify the symbol resolution by using the "import" keyword. In order to use symbols from the PEAR:DB namespace without prefixing them with PEAR:DB, you would use something like this: "import * from PEAR:DB;"
Public, Private, Protected (and Abstract)
There was a great deal of dicussion about these features which are useful for people writing OO libraries using PHP. As the OO buffs among you will know, public, private and protected affect the visibility of methods and properties in descandant classes and code called from "outside" of the class itself. This is useful to 'hide' implementation specific details from code that does not (and should not) need to know about them. It encourages safer programming.
In general, people were in favour of the change, although concerned about the impact that this has on dynamically adding properties to classes; an object model that is 100% correct would not allow this, but this is one of the corner-stones of PHP programming.
Various solutions to this problem were mentioned; essentially there would be a "strict" class or mode where dynamic properties are not allowed, and a "dynamic" class or mode where they are allowed. No firm decision has been made on this topic yet.
