Get Ready for PHP 6

It’s no secret that PHP has changed significantly since the earliest versions of PHP 4 were released almost a decade ago. Indeed, each major revision of PHP has required code changes, as language features were added, modified, and obsoleted. Depending on your PHP code, PHP 6 will be no exception.

Although PHP 6 isn’t yet available as a pre-built package, you can download and install a development snapshot of PHP 6 now to check out the new features and verify your scripts remain functional. Since PHP 6 removes some backwards-compatibility features (which, in the long term, is a good thing), you should test your existing code thoroughly.

Downloading and Building PHP 6

To compile, install, and run PHP 6, you must have the GNU make utility, a compiler such as gcc, some additional libraries to power new PHP features, and a Web server. Compiling and installing PHP 6 requires:

• Apache with development headers, such as apache-prefork-dev. The threaded MPM version of Apache is not recommended for use by the PHP group for production use.
• An International Component for Unicode (ICU) library, like libicu-dev
• The XML2 development headers, libxml2-dev

These dependencies can be installed instantly on Ubuntu by typing:

$ sudo apt-get install apache-prefork-dev libicu-dev libxml2-dev

These few dependencies enable a bare-bones installation of PHP 6, without database, image, or FreeType 2 support.

You can get the latest PHP 6 source package from "http://snaps.php.net">http://snaps.php.net. Save the source package as a file in your home
folder and unpack it:

$ tar -xzvf php6.0-[TSTAMP].tar.gz

(In the latter command, [TSTAMP] is the time stamp of the build you
downloaded.)

Change to the new directory created by tar and run the configure script:

$ cd php6.0-[TSTAMP]
$ ./configure --exec-prefix=/usr \
  --with-apxs2=/usr/bin/apxs2 \
  --with-config-file-path=/etc/php6

Since PHP 6 enables Unicode support, you must have an International
Component for Unicode library and headers. If necessary, the location of your ICU can specified with
the --with-icu-dir option to the configure script.

The --with-apxs2 option builds the Apache module. In this example,
the --exec-prefix and --with-config-file-path options
install the PHP files in locations more consistent with those of PHP 5, just for convenience.

After running the configure script, compile, test, and install the PHP 6 distribution:

$ make
$ make test
$ sudo make install

The tests take some time to run (as of the time of this writing, there are over 7,000 tests), but you will get better results if you verify the build. Since these are development snapshots and not intended for production, you should make sure the code doesn’t contain problems that will cause you issues later.

Verfiy the command line interpreter is installed correctly by typing:

$ php --version

If PHP 6 has been successfully installed and is in your execution path, you will see something
like this:

PHP 6.0.0-dev (cli) (built: Jun 30 2009 08:02:29)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2009 Zend Technologies

After you’ve installed the PHP 6 binaries, you’ll need to verify that PHP 6 has been successfully installed as a module or extension to your web server. To make sure your web server is pointed to PHP 6, put the phpinfo() function in a file and point to it from the browser.

<?php phpinfo(); ?>

You should see the PHP 6 version at the top. Review the unicode section to make sure that unicode support is enabled and is the proper version.

Things to Change

Since PHP 6 removes some backwards compatibility features, your main concern is to make sure that your PHP scripts are up to date before upgrading your system. Following the tips in this section—like discontinuing the use of register_globals and magic_quotes—will not only help you get ready for PHP 6 but will also help you to make your code more secure.

In PHP versions prior to version 6, the register_globals setting allowed you to register “EGPCS” (Environment, GET, POST, Cookie, and Server) variables as global variables. For many reasons, using register_globals is a poor security practice that could lead to cross-site scripting holes. An attacker could populate a variable using a query string parameter (GET) where your script was originally looking for cookie values or POST variables. As a developer, you should be sure where your variables are coming from, whether it’s from a GET or POST method or from a cookie. As of PHP 5.3.0, the register_globals feature is deprecated, and as of PHP 6 it is completely removed.

Hence, code that used to look like this…

$myvar = $value // where did this come from, anyway?

… should now look like this:

$myvar = $_GET['value'];

The magic_quotes INI directive, when enabled, allowed PHP to do some level of escaping quotes in HTML input for you. Some developers use magic_quotes instead of SQL-implementation specific functions to avoid SQL injection attacks. However, doing so can lead to more problems than it solves. magic_quotes are rumored to be turned off completely in PHP 6, so functions like magic_quotes_gpc() won’t work as expected.

Review your code carefully to determine how you’re handling input. If you rely on magic_quotes, make sure to replace that code with the appropriate functions for your database implementation or other output—such as mysql_escape_string() (for a MySQL implementation) or addslashes() (for other implementations that require escaped strings).

The best practice for running database statements is to prepare the statement, like this:

<?php
  $statement = $dbh->prepare("DELETE FROM USERS WHERE USERNAME = ?");
  $statement->execute(array($_GET['username']));
?>

The arrays HTTP_*_VARS, which are replaced by shorter array names, are completely removed in PHP 6. If the register_long_arrays setting is declared in the INI, PHP 6 emits an error of type E_CORE_ERROR.

To update your code to be ready for PHP 6, replace all instances of the long arrays with the shorter array names.

Unicode Support

PHP 6 offers Unicode support for Unicode characters in input, output, processing files, and for PHP scripts themselves. The most common of the Unicode encodings is UTF-8, which is the default encoding for many of the PHP 6 functions.

Although Unicode support is a useful addition to PHP 6, it might not be required for your environment. If you want to disable Unicode, use the unicode.semantics key in the PHP INI:

unicode.semantics = Off

The Unicode encoding can be set by the INI keys: