PHP
PHP is a general-purpose scripting language geared towards web development.[8] It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.[9][10] The PHP reference implementation is now produced by the PHP Group.[11] PHP was originally an abbreviation of Personal Home Page,[12][13] but it now stands for the recursive initialism PHP: Hypertext Preprocessor.[14]
This article is about the scripting language. For other uses, see PHP (disambiguation).Paradigm
dual licensed GNU General Public License version 2 or any later version and PHP License for PHP versions 3.0 or earlier.[5] Only PHP License (most of Zend engine under Zend Engine License) for 3.01x and later versions.
.php
,.phar
,.phtml
,.pht
,.phps
PHP code is usually processed on a web server by a PHP interpreter implemented as a module, a daemon or a Common Gateway Interface (CGI) executable. On a web server, the result of the interpreted and executed PHP code—which may be any type of data, such as generated HTML or binary image data—would form the whole or part of an HTTP response. Various web template systems, web content management systems, and web frameworks exist that can be employed to orchestrate or facilitate the generation of that response. Additionally, PHP can be used for many programming tasks outside the web context, such as standalone graphical applications[15] and drone control.[16] PHP code can also be directly executed from the command line.
The standard PHP interpreter, powered by the Zend Engine, is free software released under the PHP License. PHP has been widely ported and can be deployed on most web servers on a variety of operating systems and platforms.[17]
The PHP language has evolved without a written formal specification or standard, with the original implementation acting as the de facto standard that other implementations aimed to follow.
W3Techs reports that as of 23 March 2024 (the four months after the PHP 8.3 release), PHP is used by 76.4% of all websites whose programming language could be determined, and 57.2% thereof use PHP 7 which is outdated and known to be insecure.[18] Additionally, PHP 8.0 is no longer supported, meaning the vast majority of PHP users utilize outdated versions, and well over half of all websites, PHP-using or not (whose programming language could be determined) are insecure.
The only complete PHP implementation is the original, known simply as PHP. It is the most widely used and is powered by the Zend Engine. To disambiguate it from other implementations, it is sometimes unofficially called "Zend PHP". The Zend Engine compiles PHP source code on-the-fly into an internal format that it can execute, thus it works as an interpreter.[232][233] It is also the "reference implementation" of PHP, as PHP has no formal specification, and so the semantics of Zend PHP define the semantics of PHP. Due to the complex and nuanced semantics of PHP, defined by how Zend works, it is difficult for competing implementations to offer complete compatibility.
PHP's single-request-per-script-execution model, and the fact that the Zend Engine is an interpreter, leads to inefficiency; as a result, various products have been developed to help improve PHP performance. In order to speed up execution time and not have to compile the PHP source code every time the web page is accessed, PHP scripts can also be deployed in the PHP engine's internal format by using an opcode cache, which works by caching the compiled form of a PHP script (opcodes) in shared memory to avoid the overhead of parsing and compiling the code every time the script runs. An opcode cache, Zend Opcache, is built into PHP since version 5.5.[234] Another example of a widely used opcode cache is the Alternative PHP Cache (APC), which is available as a PECL extension.[235]
While Zend PHP is still the most popular implementation, several other implementations have been developed. Some of these are compilers or support JIT compilation, and hence offer performance benefits over Zend PHP at the expense of lacking full PHP compatibility. Alternative implementations include the following:
Development and community[edit]
PHP includes various free and open-source libraries in its source distribution or uses them in resulting PHP binary builds. PHP is fundamentally an Internet-aware system with built-in modules for accessing File Transfer Protocol (FTP) servers and many database servers, including PostgreSQL, MySQL, Microsoft SQL Server and SQLite (which is an embedded database), LDAP servers, and others. Numerous functions are familiar to C programmers, such as those in the stdio family, are available in standard PHP builds.[242]
PHP allows developers to write extensions in C to add functionality to the PHP language. PHP extensions can be compiled statically into PHP or loaded dynamically at runtime. Numerous extensions have been written to add support for the Windows API, process management on Unix-like operating systems, multibyte strings (Unicode), cURL, and several popular compression formats. Other PHP features made available through extensions include integration with Internet Relay Chat (IRC), dynamic generation of images and Adobe Flash content, PHP Data Objects (PDO) as an abstraction layer used for accessing databases,[243][244][245][246][247][248][249] and even speech synthesis. Some of the language's core functions, such as those dealing with strings and arrays, are also implemented as extensions.[250] The PHP Extension Community Library (PECL) project is a repository for extensions to the PHP language.[251]
Some other projects, such as Zephir, provide the ability for PHP extensions to be created in a high-level language and compiled into native PHP extensions. Such an approach, instead of writing PHP extensions directly in C, simplifies the development of extensions and reduces the time required for programming and testing.[252]
By December 2018 the PHP Group consisted of ten people: Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, and Andrei Zmievski.[253]
Zend Technologies provides a PHP Certification based on PHP 7[254] exam (and previously based on PHP 5.5) for programmers to become certified PHP developers.
Formation
November 22, 2021
Automattic, Laravel, Acquia, Zend, Private Packagist, Symfony, Craft CMS, Tideways, PrestaShop, JetBrains[255]
There are two primary ways for adding support for PHP to a web server – as a native web server module, or as a CGI executable. PHP has a direct module interface called server application programming interface (SAPI), which is supported by many web servers including Apache HTTP Server, Microsoft IIS and iPlanet Web Server. Some other web servers, such as OmniHTTPd, support the Internet Server Application Programming Interface (ISAPI), which is Microsoft's web server module interface. If PHP has no module support for a web server, it can always be used as a Common Gateway Interface (CGI) or FastCGI processor; in that case, the web server is configured to use PHP's CGI executable to process all requests to PHP files.[264]
PHP-FPM (FastCGI Process Manager) is an alternative FastCGI implementation for PHP, bundled with the official PHP distribution since version 5.3.3.[265] When compared to the older FastCGI implementation, it contains some additional features, mostly useful for heavily loaded web servers.[266]
When using PHP for command-line scripting, a PHP command-line interface (CLI) executable is needed. PHP supports a CLI server application programming interface (SAPI) since PHP 4.3.0.[267] The main focus of this SAPI is developing shell applications using PHP. There are quite a few differences between the CLI SAPI and other SAPIs, although they do share many of the same behaviours.[268]
PHP has a direct module interface called SAPI for different web servers;[269] in case of PHP 5 and Apache 2.0 on Windows, it is provided in form of a DLL file called php5apache2.dll,[270] which is a module that, among other functions, provides an interface between PHP and the web server, implemented in a form that the server understands. This form is what is known as a SAPI.
There are different kinds of SAPIs for various web server extensions. For example, in addition to those listed above, other SAPIs for the PHP language include the Common Gateway Interface and command-line interface.[269][271]
PHP can also be used for writing desktop graphical user interface (GUI) applications, by using the PHP-GTK extension. PHP-GTK is not included in the official PHP distribution,[264] and as an extension, it can be used only with PHP versions 5.1.0 and newer. The most common way of installing PHP-GTK is by compiling it from the source code.[272]
When PHP is installed and used in cloud environments, software development kits (SDKs) are provided for using cloud-specific features. For example:
Numerous configuration options are supported, affecting both core PHP features and extensions.[275][276] Configuration file php.ini
is searched for in different locations, depending on the way PHP is used.[277] The configuration file is split into various sections,[278] while some of the configuration options can be also set within the web server configuration.[279]
Security[edit]
In 2019, 11% of all vulnerabilities listed by the National Vulnerability Database were linked to PHP;[308] historically, about 30% of all vulnerabilities listed since 1996 in this database are linked to PHP. Technical security flaws of the language itself or of its core libraries are not frequent (22 in 2009, about 1% of the total although PHP applies to about 20% of programs listed).[309] Recognizing that programmers make mistakes, some languages include taint checking to automatically detect the lack of input validation which induces many issues. Such a feature is being developed for PHP,[310] but its inclusion into a release has been rejected several times in the past.[311][312]
There are advanced protection patches such as Suhosin and Hardening-Patch, specially designed for web hosting environments.[313]
Historically, old versions of PHP had some configuration parameters and default values for such runtime settings that made some PHP applications prone to security issues. Among these, magic_quotes_gpc
and register_globals
[314] configuration directives were the best known; the latter made any URL parameters become PHP variables, opening a path for serious security vulnerabilities by allowing an attacker to set the value of any uninitialized global variable and interfere with the execution of a PHP script. Support for "magic quotes" and "register globals" settings has been deprecated since PHP 5.3.0, and removed from PHP 5.4.0.[315]
Another example for the potential runtime-settings vulnerability comes from failing to disable PHP execution (for example by using the engine
configuration directive)[316] for the directory where uploaded files are stored; enabling it can result in the execution of malicious code embedded within the uploaded files.[317][318][319] The best practice is to either locate the image directory outside of the document root available to the web server and serve it via an intermediary script or disable PHP execution for the directory which stores the uploaded files.
Also, enabling the dynamic loading of PHP extensions (via enable_dl
configuration directive)[320] in a shared web hosting environment can lead to security issues.[321][322]
Implied type conversions that result in different values being treated as equal, sometimes against the programmer's intent, can lead to security issues. For example, the result of the comparison '0e1234' == '0'
is true
, because strings that are parsable as numbers are converted to numbers; in this case, the first compared value is treated as scientific notation having the value (0×101234), which is zero. Errors like this resulted in authentication vulnerabilities in Simple Machines Forum,[323] Typo3[324] and phpBB[325] when MD5 password hashes were compared. The recommended way is to use hash_equals()
(for timing attack safety), strcmp
or the identity operator (===
), as '0e1234' === '0'
results in false
.
In a 2013 analysis of over 170,000 website defacements, published by Zone-H, the most frequently (53%) used technique was the exploitation of file inclusion vulnerability, mostly related to insecure usage of the PHP language constructs include
, require
, and allow_url_fopen
.[326][327]
As of 23 March 2024, (4 months after PHP 8.3 release) W3Techs reports that 83.9% of websites using PHP, use versions 8.0 or older (which are no longer supported by The PHP Development Team).[328] PHP Version 5 is still used by 16.2% of all websites.[298] It is highly recommended to migrate to PHP 8.1 or later and use random_int()
[329] instead of rand()
[330] or mt_rand()
,[331] as the latter functions are not cryptographically secure. There are two attacks that can be performed over PHP entropy sources: "seed attack" and "state recovery attack". As of 2012, a $250 GPU can perform up to 230 MD5 calculations per second, while a $750 GPU can perform four times as many calculations at the same time.[332] In combination with a "birthday attack" this can lead to serious security vulnerabilities.