日期:2013-10-21  浏览次数:20509 次

PHP 4.1.0 Release Announcement

PHP 4.1.0 出版公告(1)

After a lengthy QA process, PHP 4.1.0 is finally out.
Download at http://www.php.net/downloads.php !

PHP 4.1.0 includes several other key improvements:
- A new input interface for improved security (read below)

一个新的输入界面来提高安全性

- Highly improved performance in general

极大提高了性能

- Revolutionary performance and stability improvements under
Windows. The multithreaded server modules under Windows (ISAPI,
Apache, etc.) perform as much as 30 times faster under load! We
want to thank Brett Brewer and his team in Microsoft for working
with us to improve PHP for Windows.

Windows 下革命性的性能和稳定性。多线程服务器模块提供了快30倍的性能。

- Versioning support for extensions. Right now it's barely being
used, but the infrastructure was put in place to support separate
version numbers for different extensions. The negative side effect
is that loading extensions that were built against old versions of
PHP will now result in a crash, instead of in a nice clear message.
Make sure you only use extensions built with PHP 4.1.0.

扩展翻译支持,现在他还很少用到,但是放置了基础构造来支持某些不同版本号的扩展模块。负面影响是他和老版本的扩展模块冲突。你需要确定使用了 php4.1.0的扩展模块。

- Turn-key output compression support

支持 Turn-key 输出压缩

- *LOTS* of fixes and new functions

修正了很多地方,增加了许多函数。

As some of you may notice, this version is quite historical, as it's
the first time in history we actually incremented the middle digit! :)
The two key reasons for this unprecedented change were the new input
interface, and the broken binary compatibility of modules due to the
versioning support.

{没看懂!!呵呵!以后看懂了再翻译}

Following is a description of the new input mechanism. For a full
list of changes in PHP 4.1.0, scroll down to the end of this section.

下面是新的输入机制的描述。完整的更改列表请看后面

-----------------------------------

SECURITY: NEW INPUT MECHANISM

安全:新的输入机制

First and foremost, it's important to stress that regardless of
anything you may read in the following lines, PHP 4.1.0 *supports*
the old input mechanisms from older versions. Old applications
should go on working fine without modification!

首先,也是最重要的,必须强调对下面内容足够重视是非常重要的。php 4.1.0 支持旧的输入机制。老的应用程序仍然可以运行,不用修改。

Now that we have that behind us, let's move on :)

下面是内容

For various reasons, PHP setups which rely on register_globals
being on (i.e., on form, server and environment variables becoming
a part of the global namespace, automatically) are very often
exploitable to various degrees. For example, the piece of code:

由于各种原因,PHP需要设置 register_globlas ON(例如在标单,服务器,环境变量自动成为全局命名空间的一部分),他们经常被不同程度的干扰。下面是一段代码:

<?php
if (authenticate_user()) {
$authenticated = true;
}
...
?>

May be exploitable, as remote users can simply pass on 'authenticated'
as a form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this misfeature.

可以通过表单里面传送 authenticated 变量来欺骗,即使 authenticate_user()返回false,$authenticated 仍然被设置为true.这只是一个非常简单的例子,实际上,相当多的程序被类似的错误特性欺骗

While it is quite possible to write secure code in PHP, we felt that the
fact that PHP makes it too easy to write insecure code was bad, and we've
decided to attempt a far-reaching change, and deprecate register_globals.
Obviously, because the vast majority of the PHP code in the world relies
on the existence of this feature, we have no plans to actually remove it
from PHP anytime in the foreseeable future, but we've decided to encourage
people to shut it off whenever possible.

当然,完全可以书写安全的PHP代码,我们觉得事实上,PHP使得书写不安全