CHAPTER 7 – TYPES OF ERRORS – Portability Errors

Operating System Differences Although PHP itself runs on many different platforms, that does not automatically make all PHP code 100 per- cent platform-independent. There are always some OS-specific issues to con- sider. Here are some examples: PHP functions that are available only on a specific platform PHP functions that are not available on a specific platform PHP functions that differ slightly on different platforms Which character is used to separate path components in file names External programs or services that are not available on all platforms PHP Configuration Differences With all the different options available in PHP's configuration file (php.ini), it is easy to get into trouble when making assumptions about these settings. One common example is the magic_quotes_gpc ini option. If this option is enabled, PHP adds slashes (like the addslashes() function) on all external data. If you write your code on a system with this option disabled, and then move it to a server with magic_quotes_gpc enabled, your user input will suffer from "backslash pollution." The correct way to handle such variations is to check your PHP code and see whether an option is enabled with the ini_get() function, and make the appropriate adjustments. For example, in the magic_quotes_gpc case, you should do this: <?php $dbh = DB::connect("mysql://user:pw@localhost/test"); if (ini_get("magic_quotes_gpc")) { stripslashes($_GET["email"]); } $dbh->query("INSERT INTO emails VALUES(?)", array($_GET["email"])); ?>

register_globals The register_globals setting determines whether PHP should import GET, POST, cookie, environment, or server variables as global variables. In re-usable code, avoid relying on register_globals; instead, use the superglobal variables pro- vided for accessing them ($_GET and friends). register_argc_argv This variable controls whether the global variables $argc and $argv should be set. In the CLI version of PHP, these are set by default and required for PHP to access command-line parameters. magic_quotes_gpc, magic_quotes_runtime Magic quotes is the name of a PHP feature that automatically quotes input data, by using the addslashes() function. Historically, this was used so that form data could be used directly in SQL queries without any security or quot- ing issues. Today, form data is used for much more, and magic quotes quickly get in the way. We recommend that you disable this feature, but portable code must be aware of these settings and deal with them appropriately by calling stripslashes() on GPS (GET, POST, and cookie) data. y2k_compliance The y2k_compliance set to on causes PHP to display four-digit years instead of two-digit years. Oddly enough, the only value that is known to cause problems with some browsers is on, which is why it is off by default. unserialize_callback_func This setting is a string with the name of the function used for de-serializing data when the unserialize() function is used. arg_separator.input When receiving GET and POST form data, the ampersand character (&) is used by default to separate key-value pairs. With this option, the separator charac- ter can be changed to something else, which could cause portability problems. allow_url_fopen By default, PHP's file functions support reading and writing URLs. If this option is set to false, URL file operations are disabled. You may need to deal with this in portable code, either by having a userland implementation in reserve, or by checking whether this option is set upon startup and refuse to run if URL file operations are not allowed.