PHP 6, the next major revision of the popular Web application development language, looms on the horizon and promises many changes. Learn what's new and what's obsolete and how to prepare your code for tomorrow.
It’s no secret that PHP has changed significantly since the earliest versions of PHP 4 were released almost a decade ago. Indeed, each major revision of PHP has required code changes, as language features were added, modified, and obsoleted. Depending on your PHP code, PHP 6 will be no exception.
Although PHP 6 isn’t yet available as a pre-built package, you can download and install a development snapshot of PHP 6 now to check out the new features and verify your scripts remain functional. Since PHP 6 removes some backwards-compatibility features (which, in the long term, is a good thing), you should test your existing code thoroughly.
Downloading and Building PHP 6
To compile, install, and run PHP 6, you must have the GNU make utility, a compiler such as gcc, some additional libraries to power new PHP features, and a Web server. Compiling and installing PHP 6 requires:
Apache with development headers, such as apache-prefork-dev. The threaded MPM version of Apache is not recommended for use by the PHP group for production use.
An International Component for Unicode (ICU) library, like libicu-dev
The XML2 development headers, libxml2-dev
These dependencies can be installed instantly on Ubuntu by typing:
$ sudo apt-get install apache-prefork-dev libicu-dev libxml2-dev
These few dependencies enable a bare-bones installation of PHP 6, without database, image, or FreeType 2 support.
You can get the latest PHP 6 source package from
"http://snaps.php.net">http://snaps.php.net. Save the source package as a file in your home
folder and unpack it:
$ tar -xzvf php6.0-[TSTAMP].tar.gz
(In the latter command,
[TSTAMP] is the time stamp of the build you
Change to the new directory created by tar and run the configure script:
$ cd php6.0-[TSTAMP]
$ ./configure --exec-prefix=/usr \
Since PHP 6 enables Unicode support, you must have an International
Component for Unicode library and headers. If necessary, the location of your ICU can specified with
--with-icu-dir option to the configure script.
--with-apxs2 option builds the Apache module. In this example,
install the PHP files in locations more consistent with those of PHP 5, just for convenience.
After running the configure script, compile, test, and install the PHP 6 distribution:
$ make test
$ sudo make install
The tests take some time to run (as of the time of this writing, there are over 7,000 tests), but you will get better results if you verify the build. Since these are development snapshots and not intended for production, you should make sure the code doesn’t contain problems that will cause you issues later.
Verfiy the command line interpreter is installed correctly by typing:
$ php --version
If PHP 6 has been successfully installed and is in your execution path, you will see something
PHP 6.0.0-dev (cli) (built: Jun 30 2009 08:02:29)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2009 Zend Technologies
After you’ve installed the PHP 6 binaries, you’ll need to verify that PHP 6 has been successfully installed as a module or extension to your web server. To make sure your web server is pointed to PHP 6, put the
phpinfo() function in a file and point to it from the browser.
<?php phpinfo(); ?>
You should see the PHP 6 version at the top. Review the unicode section to make sure that unicode support is enabled and is the proper version.
Things to Change
Since PHP 6 removes some backwards compatibility features, your main concern is to make sure that your PHP scripts are up to date before upgrading your system. Following the tips in this section—like discontinuing the use of
magic_quotes—will not only help you get ready for PHP 6 but will also help you to make your code more secure.
In PHP versions prior to version 6, the
register_globals setting allowed you to register “EGPCS” (Environment, GET, POST, Cookie, and Server) variables as global variables. For many reasons, using
register_globals is a poor security practice that could lead to cross-site scripting holes. An attacker could populate a variable using a query string parameter (GET) where your script was originally looking for cookie values or POST variables. As a developer, you should be sure where your variables are coming from, whether it’s from a GET or POST method or from a cookie. As of PHP 5.3.0, the
register_globals feature is deprecated, and as of PHP 6 it is completely removed.
Hence, code that used to look like this…
$myvar = $value // where did this come from, anyway?
… should now look like this:
$myvar = $_GET['value'];
magic_quotes INI directive, when enabled, allowed PHP to do some level of escaping quotes in HTML input for you. Some developers use
magic_quotes instead of SQL-implementation specific functions to avoid SQL injection attacks. However, doing so can lead to more problems than it solves.
magic_quotes are rumored to be turned off completely in PHP 6, so functions like
magic_quotes_gpc() won’t work as expected.
Review your code carefully to determine how you’re handling input. If you rely on
magic_quotes, make sure to replace that code with the appropriate functions for your database implementation or other output—such as
mysql_escape_string() (for a MySQL implementation) or
addslashes() (for other implementations that require escaped strings).
The best practice for running database statements is to prepare the statement, like this:
$statement = $dbh->prepare("DELETE FROM USERS WHERE USERNAME = ?");
HTTP_*_VARS, which are replaced by shorter array names, are completely removed in PHP 6. If the
register_long_arrays setting is declared in the INI, PHP 6 emits an error of type
To update your code to be ready for PHP 6, replace all instances of the long arrays with the shorter array names.
PHP 6 offers Unicode support for Unicode characters in input, output, processing files, and for PHP scripts themselves. The most common of the Unicode encodings is UTF-8, which is the default encoding for many of the PHP 6 functions.
Although Unicode support is a useful addition to PHP 6, it might not be required for your environment. If you want to disable Unicode, use the
unicode.semantics key in the PHP INI:
unicode.semantics = Off
The Unicode encoding can be set by the INI keys:
|Unicode INI setting
||Sets the site-wide default encoding for text sent to standard output
||Sets the encoding for file and directory names.
||Sets the encoding for the PHP scripts themselves.
||Sets the encoding used in the PHP runtime when converting binary strings