SQL, Ccna, Ccie, CCNP, MCP, Ajax, PHP
SQL, Ccna, Ccie, CCNP, MCP, Ajax, PHP
SQL, Ccna, Ccie, CCNP, MCP, Ajax, PHP
History[edit]
SQL was initially developed at IBM by Donald D. Chamberlin and Raymond F. Boyce after learning about the relational model
from Ted Codd[15] in the early 1970s.[16] This version, initially called SEQUEL (Structured English Query Language), was
designed to manipulate and retrieve data stored in IBM's original quasi-relational database management system, System R,
which a group at IBM San Jose Research Laboratory had developed during the 1970s.[16]
Chamberlin and Boyce's first attempt of a relational database language was Square, but it was difficult to use due to subscript
notation. After moving to the San Jose Research Laboratory in 1973, they began work on SEQUEL.[15] The acronym SEQUEL
was later changed to SQL because "SEQUEL" was a trademark of the UK-based Hawker Siddeley aircraft company.[17]
In the late 1970s, Relational Software, Inc. (now Oracle Corporation) saw the potential of the concepts described by Codd,
Chamberlin, and Boyce, and developed their own SQL-based RDBMSwith aspirations of selling it to the U.S. Navy, Central
Intelligence Agency, and other U.S. government agencies. In June 1979, Relational Software, Inc. introduced the first
commercially available implementation of SQL, Oracle V2 (Version2) for VAX computers. By 1986, ANSI and ISO standard
groups officially adopted the standard "Database Language SQL" language definition. New versions of the standard were
published in 1989, 1992, 1996, 1999, 2003, 2006, 2008, 2011,[15] and most recently, 2016. After testing SQL at customer test
sites to determine the usefulness and practicality of the system, IBM began developing commercial products based on their
System R prototype including System/38, SQL/DS, and DB2, which were commercially available in 1979, 1981, and 1983,
respectively.[18]
Design[edit]
SQL deviates in several ways from its theoretical foundation, the relational model and its tuple calculus. In that model, a table is
a set of tuples, while in SQL, tables and query results are lists of rows: the same row may occur multiple times, and the order of
rows can be employed in queries (e.g. in the LIMIT clause).
Critics argue that SQL should be replaced with a language that strictly returns to the original foundation: for example, see The
Third Manifesto.
Syntax[edit]
Main article: SQL syntax
A chart showing several of the SQL language elements that compose a single statement
Clauses, which are constituent components of statements and queries. (In some cases, these are optional.)[19]
Expressions, which can produce either scalar values, or tables consisting of columns and rows of data
Predicates, which specify conditions that can be evaluated to SQL three-valued logic (3VL)(true/false/unknown)
or Boolean truth values and are used to limit the effects of statements and queries, or to change program flow.
Queries, which retrieve the data based on specific criteria. This is an important element of SQL.
Statements, which may have a persistent effect on schemata and data, or may control transactions, program flow,
connections, sessions, or diagnostics.
SQL statements also include the semicolon (";") statement terminator. Though not required on every platform, it
is defined as a standard part of the SQL grammar.
Insignificant whitespace is generally ignored in SQL statements and queries, making it easier to format SQL code for
readability.
Procedural extensions[edit]
SQL is designed for a specific purpose: to query data contained in a relational database. SQL is a set-based, declarative
programming language, not an imperative programming language like Cor BASIC. However, extensions to Standard SQL
add procedural programming language functionality, such as control-of-flow constructs. These include:
In addition to the standard SQL/PSM extensions and proprietary SQL extensions, procedural and object-
oriented programmability is available on many SQL platforms via DBMS integration with other languages. The SQL standard
defines SQL/JRT extensions (SQL Routines and Types for the Java Programming Language) to support Java code in SQL
databases. SQL Server 2005uses the SQLCLR (SQL Server Common Language Runtime) to host managed .NET assemblies
in the database, while prior versions of SQL Server were restricted to unmanaged extended stored procedures primarily written
in C. PostgreSQL lets users write functions in a wide variety of languages—including Perl, Python, Tcl, JavaScript (PL/V8) and
C.[22]
The complexity and size of the SQL standard means that most implementors do not support the entire standard.
The standard does not specify database behavior in several important areas (e.g. indexes, file storage...), leaving
implementations to decide how to behave.
The SQL standard precisely specifies the syntax that a conforming database system must implement. However, the
standard's specification of the semantics of language constructs is less well-defined, leading to ambiguity.
Many database vendors have large existing customer bases; where the newer version of the SQL standard conflicts
with the prior behavior of the vendor's database, the vendor may be unwilling to break backward compatibility.
There is little commercial incentive for vendors to make it easier for users to change database suppliers (see vendor
lock-in).
Users evaluating database software tend to place other factors such as performance higher in their priorities than
standards conformance.
SQL was adopted as a standard by the American National Standards Institute (ANSI) in 1986 as SQL-86[30] and the International
Organization for Standardization (ISO) in 1987. It is maintained by ISO/IEC JTC 1, Information technology, Subcommittee SC
32, Data management and interchange. The standard is commonly denoted by the pattern: ISO/IEC 9075-n:yyyy Part n: title,
or, as a shortcut, ISO/IEC 9075.
ISO/IEC 9075 is complemented by ISO/IEC 13249: SQL Multimedia and Application Packages (SQL/MM), which defines SQL
based interfaces and packages to widely spread applications like video, audio and spatial data.
Until 1996, the National Institute of Standards and Technology (NIST) data management standards program certified SQL
DBMS compliance with the SQL standard. Vendors now self-certify the compliance of their products.[31]
The original standard declared that the official pronunciation for "SQL" was an initialism: /ˌɛsˌkjuːˈɛl/ ("ess cue el").
[12]
Regardless, many English-speaking database professionals (including Donald Chamberlin himself[32]) use the acronym-like
pronunciation of /ˈsiːkwəl/ ("sequel"),[33] mirroring the language's pre-release development name of "SEQUEL".[16][17][32][16] The SQL
standard has gone through a number of revisions:
Interested parties may purchase SQL standards documents from ISO,[38] IEC or ANSI. A draft of SQL:2008 is freely available as
a zip archive.[39]
The SQL standard is divided into nine parts.
Alternatives[edit]
A distinction should be made between alternatives to SQL as a language, and alternatives to the relational model itself. Below
are proposed relational alternatives to the SQL language. See navigational database and NoSQL for alternatives to the
relational model.
Criticisms[edit]
Chamberlin's critiques of SQL include:
NULLs[edit]
SQL's controversial "NULL" value is neither true nor false (predicates with terms that return a null value return null rather than
true or false). Features such as outer-join depend on null values.[15]
Other[edit]
Other popular critiques are that it allows duplicate rows, making integration with languages such as Python, whose data types
might make it difficult to accurately represent the data,[15] difficult in terms of parsing and by the absence of modularity.
CCNA
CCNA (Cisco Certified Network Associate) is an information technology (IT) certification from Cisco. CCNA certification is an
associate-level Cisco Career certification.
The Cisco exams have changed several times. In 2013, Cisco announced an update to its certification program that "aligns
certification and training curricula with evolving industry job roles."[1]There are now several different types of Cisco-Certified
Network Associate, with "CCNA Routing and Switching" being closest to the original CCNA focus; other types of CCNA focus
on security, cloud, collaboration, security operations, design, data center technologies, industrial plants, service providers, and
wireless.[2][3]
The content of the exams is proprietary.[4] Cisco and its learning partners offer a variety of different training methods,[5] including
books published by Cisco Press, and online and classroom courses available under the title "Interconnecting Cisco Network
Devices".
To achieve CCNA Routing and Switching certification, one must earn a passing score on Cisco exam #200-125, or combined
passing scores on both the "Interconnecting Cisco Network Devices" ICND1 #100-105 and ICND2 #200-105 exams. Passing
the ICND1 grants one the Cisco Certified Entry Networking Technician (CCENT) certification. Passing scores are set by using
statistical analysis and are subject to change. At the completion of the exam, candidates receive a score report along with a
score breakout by exam section and the passing score for the given exam. Cisco does not publish exam passing scores
because exam questions and passing scores are subject to change without notice.[6]
The 200-125 CCNA is the composite exam associated with the Cisco Certified Network Associate Routing & Switching
certification. This exam tests a candidate's knowledge and skills required to install, operate, and troubleshoot a small to medium
size enterprise branch network. The topics include connecting to a WAN; implementing network security; network types;
network media; routing and switching fundamentals; the TCP/IP and OSI models; IP addressing; WAN technologies; operating
and configuring IOS devices; extending switched networks with VLANs; determining IP routes; managing IP traffic with access
lists; establishing point-to-point connections; and establishing Frame Relay connections
Available exam[edit]
To receive the CCNA certification, one must pass either:
Certifications No Longer Offered
Validity[edit]
The validity for CCNA Certification is 3 years. Renewal requires certification holders to register for and pass any same or higher
level Cisco recertification exam(s) again every 3 years.
CCNP
A Cisco Certified Network Professional (CCNP) is someone in the IT industry who has achieved a professional level of Cisco
career certification, which is a type of IT professional certification created by Cisco Systems,[1] best for Network Operations
Specialist, Network administrators & engineers.
Contents
1Professional certifications
2Required exams
3Related certifications
4References
Professional certifications[edit]
There are eight areas of the professional Certifications. [2] It is designed for the requirement of the IT industries.
CCNP Cloud
CCNP Collaboration
CCNP Data Center
CCNP Routing and Switching
CCNP Security
CCNP Service Provider
CCNP Wireless
Required exams[edit]
To apply for the CCNP exam, Entry-level Cisco certifications need to be passed in advance.
The associate-level certification programs are: CCNA Routing and Switching, CCNA Collaboration,CCNA Industrial etc.
Each area of a CCNP license requires passing the relevant exams for certification of the professional understanding
and capability of networking.
For example, the CCNP Routing and Switching consists of three exams: [3] Implementing Cisco IP Routing,
Implementing Cisco IP Switched Networks and Troubleshooting and Maintaining Cisco IP Networks
Related certifications[edit]
CCIE Certification
The Cisco Certified Internetwork Expert, or CCIE, is a technical certification offered by Cisco Systems. The Cisco Certified
Internetwork Expert (CCIE) and Cisco Certified Design Expert (CCDE) certifications were established to assist the industry in
distinguishing the top echelon of internetworking experts worldwide and to assess Expert-level infrastructure network design
skills worldwide. These certifications are generally accepted worldwide as the most prestigious networking certifications in the
industry. The CCIE and CCDE community has established a reputation of leading the networking industry in deep technical
networking knowledge and are deployed into the most technically challenging network assignments. The Expert-level
certification program continually updates and revises its testing tools and methodologies to ensure and maintain program
quality, relevance and value. Through a rigorous written exam and a performance-based lab exam, these expert-level
certification programs set the standard for internetworking expertise. [1]
The program is currently divided into six different areas of expertise or "tracks". One may choose to pursue multiple CCIE tracks
in several different categories of Cisco technology: Routing & Switching, Service Provider, Security, Collaboration, Data Center,
and Wireless.
CCIE Requirements[edit]
CCIE candidates must first pass a written qualification exam and then the corresponding hands-on lab exam. Though there are
no formal requirements to take a CCIE certification exam, an in-depth understanding of the topics on the exams and three to
five years of job experience are expected before attempting certification. [2]
There are two test sets for the requirement for certification
Written Exam : Duration 120 minutes , 90 - 110 questions with multiple choice and simulation
Lab Exam : 8 hours Lab exam (One day), Previously, CCIE Lab Exams were two full days exams
Details: The CCIE Routing and Switching Lab exam consists of a 2 hour Troubleshooting section, a 30 minute Diagnostic
section, and a 5 hour and 30 minute Configuration section. The format differs per track.
The eight-hour lab exam tests your ability to configure actual equipment and troubleshoot the network in a timed test situation.
You must make an initial attempt at the CCIE lab exam within 18-months of passing the CCIE written exam. Candidates who do
not pass must reattempt the lab exam within 12 months of their last scored attempt in order for their written exam to remain
valid. If you do not pass the lab exam within three years of passing the written exam, you must retake the written exam before
being allowed to attempt the lab exam again.
The first day: You should build the network by patching, IP addressing, configuration to terminal servers: it's the
verification method of your performance about the whole layer 2 and 3 configurations. Before the end of the day about 5:15
pm, the proctor would mark your capability, and decide whether you are able to attend the second-day lap exam by passing
80% pass mark on the first day. [4]
The second day: You would receive another paper that covered more configuration for your tasks during the morning
session.
To configure the devices correctly, you should be aware of the core technologies, There are various hazards which you should
understand the basic networking knowledge including practical experience. The Proctor would observe your process and let you
know whether you can attend the afternoon exam session for the troubleshooting field before the end of the day. [5]
The current CCIE exam consists of eight hours within a day. [6] [7]
CCDE : The expert-level network design engineers who is capable of translating business needs, budget, and
operational constraints into the design of a converged solution. [8]
CCIE Routing & Switching: The most popular CCIE track. The expert-level network engineers who can plan, operate
and troubleshoot complex, converged network infrastructure. [9]
CCIE Collaboration: Suitable expert level for the Collaboration Architects, Unified Communications Architects, or Voice
and Video Network Managers [10]
CCIE Data Center: Expert of the planning, design, implementation and management of complex, modern IT data center
infrastructure. [11]
CCIE Security: Concerning the modern security risks, threats, vulnerabilities, The security experts who have the
knowledge and skills to architect, engineer, implement, troubleshoot, and support the full suite of Cisco security
technologies and solutions using the latest industry best practices to secure systems and environments. [12]
CCIE Service Provider: The expert-level ISP (Internet Service Provider) network engineers who bring the knowledge
and skill to build an extensible Service Provider infrastructure to deliver rich managed services [13]
CCIE Wireless: The expert who is able to demonstrate broad theoretical knowledge of wireless networking and a solid
understanding of wireless local area networking (WLAN) technologies from Cisco. [14]
CCIE Emeritus[edit]
Active CCIE holders are able to apply for CCIE Emeritus status when they pass their ten year anniversary of CCIE certification.
CCIE Emeritus status generally applies to those that have moved out of "day to day" network and technical work but
would like to stay involved in the CCIE program serving as ambassadors to current and future CCIE program.
CCIE Emeritus status is a non-active CCIE holder but candidates are recognized for technical proficiency and long term
status within the CCIE program.
CCIE Emeritus holders have the opportunity to re-enter active CCIE status by taking any current CCIE-level written
exam. [15]
Contents
Microsoft Office Specialist (MOS) - demonstrates the proficiency of the holder in one or more Office Programs
Microsoft Technology Associate (MTA) - is the entry level certification that validates the holder's fundamental
technology knowledge
Microsoft Certified Solutions Associate (MCSA) - this certification validates the holder's ability to build and design
solutions using core Microsoft technologies.
Microsoft Certified Solutions Expert (MCSE) - these certifications show the skills to design and build advanced
solutions which integrate multiple Microsoft technologies - requires MCSA prerequisite
Microsoft Certified Solutions Developer (MCSD) - the certification proves the holder's skills in designing and building
application solutions - requires MCSA prerequisite
Microsoft Specialist - Designed to validate your knowledge and skills in a specialized area of technology, the
Specialist credential sits outside the tier system - retired as March 31, 2017[5]
The MCSE certification originally stood for Microsoft Certified Systems Engineer. In 2012, Microsoft made some changes to the
Microsoft Certified Professional (MCP) program, and renamed MCSE to mean Microsoft Certified Solutions Expert.[6] At the
same time, the MCSA certification was renamed to Microsoft Certified Solutions Associate; from its original, previous name of
Microsoft Certified Systems Administrator.
Ajax (programming)
Ajax (also AJAX /ˈeɪdʒæks/; short for "Asynchronous JavaScript And XML")[1][2] is a set of Web development techniques using
many Web technologies on the client side to create asynchronous Web applications. With Ajax, Web applications can send and
retrieve data from a serverasynchronously (in the background) without interfering with the display and behavior of the existing
page. By decoupling the data interchange layer from the presentation layer, Ajax allows Web pages, and by extension Web
applications, to change content dynamically without the need to reload the entire page.[3] In practice, modern implementations
commonly utilize JSON instead of XML due to the advantages of JSON being native to JavaScript.[4]
Ajax is not a single technology, but rather a group of technologies. HTML and CSS can be used in combination to mark up and
style information. The webpage can then be modified by JavaScript to dynamically display – and allow the user to interact with
— the new information. The built-in XMLHttpRequest object within JavaScript is commonly used to execute Ajax on webpages
allowing websites to load content onto the screen without refreshing the page. Ajax is not a new technology, or different
language, just existing technologies used in new ways
History[edit]
In the early-to-mid 1990s, most Web sites were based on complete HTML pages. Each user action required that a complete
new page be loaded from the server. This process was inefficient, as reflected by the user experience: all page content
disappeared, then the new page appeared. Each time the browser reloaded a page because of a partial change, all of the
content had to be re-sent, even though only some of the information had changed. This placed additional load on the server and
made bandwidth a limiting factor on performance.
In 1996, the iframe tag was introduced by Internet Explorer; like the object element, it can load or fetch content asynchronously.
In 1998, the Microsoft Outlook Web App team developed the concept behind the XMLHttpRequest scripting object.[5] It appeared
as XMLHTTP in the second version of the MSXML library,[5][6] which shipped with Internet Explorer 5.0 in March 1999.[7]
The functionality of the XMLHTTP ActiveX control in IE 5 was later implemented by Mozilla, Safari, Opera and other browsers
as the XMLHttpRequest JavaScript object.[8] Microsoft adopted the native XMLHttpRequest model as of Internet Explorer 7. The
ActiveX version is still supported in Internet Explorer, but not in Microsoft Edge. The utility of these background HTTP requests
and asynchronous Web technologies remained fairly obscure until it started appearing in large scale online applications such as
Outlook Web App (2000)[9] and Oddpost (2002).
Google made a wide deployment of standards-compliant, cross browser Ajax with Gmail (2004) and Google Maps (2005).[10] In
October 2004 Kayak.com's public beta release was among the first large-scale e-commerce uses of what their developers at
that time called "the xml http thing".[11] This increased interest in AJAX among web program developers.
The term Ajax was publicly used on 18 February 2005 by Jesse James Garrett in an article titled Ajax: A New Approach to Web
Applications, based on techniques used on Google pages.[1]
On 5 April 2006, the World Wide Web Consortium (W3C) released the first draft specification for the XMLHttpRequest object in
an attempt to create an official Web standard.[12][13] The latest draft of the XMLHttpRequest object was published on 30 January
2014.[14]
Technologies[edit]
The term Ajax has come to represent a broad group of Web technologies that can be used to implement a Web application that
communicates with a server in the background, without interfering with the current state of the page. In the article that coined
the term Ajax,[1][3] Jesse James Garrett explained that the following technologies are incorporated:
Drawbacks[edit]
Any user whose browser does not support JavaScript or XMLHttpRequest, or has this functionality disabled, will not be
able to properly use pages that depend on Ajax. Simple devices (such as smartphones and PDAs) may not support the
required technologies. The only way to let the user carry out functionality is to fall back to non-JavaScript methods. This can
be achieved by making sure links and forms can be resolved properly and not relying solely on Ajax.[17]
Similarly, some Web applications that use Ajax are built in a way that cannot be read by screen-reading technologies,
such as JAWS. The WAI-ARIA standards provide a way to provide hints in such a case.[18]
Screen readers that are able to use Ajax may still not be able to properly read the dynamically generated content.[19]
The same-origin policy prevents some Ajax techniques from being used across domains,[12] although the W3C has a
draft of the XMLHttpRequest object that would enable this functionality.[20] Methods exist to sidestep this security feature by
using a special Cross Domain Communications channel embedded as an iframe within a page,[21] or by the use of JSONP.
The asynchronous callback-style of programming required can lead to complex code that is hard to maintain, to
debug[22] and to test.[23]
Because of the asynchronous nature of Ajax, each chunk of data that is sent or received by the client occurs in a
connection established specifically for that event. This creates a requirement that for every action, the client must poll the
server, instead of listening, which incurs significant overhead. This overhead leads to several times higher latency with Ajax
than what can be achieved with a technology such as websockets.[24]
In pre-HTML5 browsers, pages dynamically created using successive Ajax requests did not automatically register
themselves with the browser's history engine, so clicking the browser's "back" button may not have returned the browser to
an earlier state of the Ajax-enabled page, but may have instead returned to the last full page visited before it. Such
behavior — navigating between pages instead of navigating between page states — may be desirable, but if fine-grained
tracking of page state is required, then a pre-HTML5 workaround was to use invisible iframes to trigger changes in the
browser's history. A workaround implemented by Ajax techniques is to change the URL fragment identifier (the part of a
URL after the "#") when an Ajax-enabled page is accessed and monitor it for changes.[25][26] HTML5 provides an
extensive API standard for working with the browser's history engine.[27]
Dynamic Web page updates also make it difficult to bookmark and return to a particular state of the application.
Solutions to this problem exist, many of which again use the URL fragment identifier.[25][26] On the other hand, as AJAX-
intensive pages tend to function as applications rather than content, bookmarking interim states rarely makes sense.
Nevertheless, the solution provided by HTML5 for the above problem also applies for this.[27]
Depending on the nature of the Ajax application, dynamic page updates may disrupt user interactions, particularly if the
Internet connection is slow or unreliable. For example, editing a search field may trigger a query to the server for search
completions, but the user may not know that a search completion popup is forthcoming, and if the Internet connection is
slow, the popup list may show up at an inconvenient time, when the user has already proceeded to do something else.
Excluding Google,[28] most major Web crawlers do not execute JavaScript code,[29] so in order to be indexed by Web
search engines, a Web application must provide an alternative means of accessing the content that would normally be
retrieved with Ajax. It has been suggested that a headless browser may be used to index content provided by Ajax-enabled
websites, although Google is no longer recommending the Ajax crawling proposal they made in 2009.[30]
Examples[edit]
JavaScript example[edit]
An example of a simple Ajax request using the GET method, written in JavaScript.
get-ajax-data.js:
<?php
// This is the server-side script.
Many developers dislike the syntax used in the XMLHttpRequest object, so some of the following workarounds have been
created.
jQuery example[edit]
The popular JavaScript library jQuery has implemented abstractions which enable developers to use Ajax more conveniently.
Although it still uses XMLHttpRequest behind the scenes, the following is the same example as above using the 'ajax' method.
$.ajax({
type: 'GET',
url: 'send-ajax-data.php',
dataType: "JSON", // data type expected from server
success: function (data) {
console.log(data);
},
error: function() {
console.log('Error: ' + data);
}
});
jQuery also implements a 'get' method which allows the same code to be written more concisely.
$.get('send-ajax-data.php').done(function(data) {
console.log(data);
}).fail(function(data) {
console.log('Error: ' + data);
});
Fetch example[edit]
Fetch is a new native JavaScript API. Although not yet supported by all browsers, it is gaining momentum as a more popular
way to execute Ajax.[citation needed] According to Google Developers Documentation, "Fetch makes it easier to make web requests
and handle responses than with the older XMLHttpRequest."
fetch('send-ajax-data.php').then(function(response) {
return response.text();
}).then(function(data) {
console.log(data);
}).catch(function(error) {
console.log('Error: ' + error);
});
// Async/await example:
try {
const res = await fetch('send-ajax-data.php');
const data = await res.text();
console.log(data);
} catch(error) {
console.log(error);
}
PHP
PHP: Hypertext Preprocessor (or simply PHP) is a server-side scripting language designed for Web development, but also
used as a general-purpose programming language. It was originally created by Rasmus Lerdorf in 1994,[5] the PHP reference
implementation is now produced by The PHP Group.[6] PHP originally stood for Personal Home Page,[5] but it now stands for
the recursive acronym PHP: Hypertext Preprocessor.[7]
PHP code may be embedded into HTML code, or it can be used in combination with various web template systems, web
content management systems, and web frameworks. PHP code is usually processed by a PHP interpreter implemented as
a module in the web server or as a Common Gateway Interface (CGI) executable. The web server combines the results of the
interpreted and executed PHP code, which may be any type of data, including images, with the generated web page. PHP code
may also be executed with a command-line interface (CLI) and can be used to implement standalone graphical applications.[8]
The standard PHP interpreter, powered by the Zend Engine, is free software released under the PHP License. PHP has been
widely ported and can be deployed on most web servers on almost every operating system and platform, free of charge.[9]
The PHP language evolved without a written formal specification or standard until 2014, with the original implementation acting
as the de facto standard which other implementations aimed to follow. Since 2014 work has gone on to create a formal PHP
specification.[10]
During the 2010s there have been increased efforts towards standardisation and code sharing in PHP applications by projects
such as PHP-FIG in the form of PSR initiatives as well as the Composer dependency manager and associated Packagist
repository. PHP hosts a diverse array of web frameworks requiring framework-specific knowledge, with Laravel recently
emerging as a popular option by incorporating ideas made popular from other competing non-PHP web frameworks, like Ruby
on Rails.
History[edit]
Early history[edit]
Rasmus Lerdorf, who wrote the original Common Gateway Interface (CGI) component, together with Andi Gutmans and Zeev Suraski, who
rewrote the parser that formed PHP 3.
PHP development began in 1994 when Rasmus Lerdorf wrote several Common Gateway Interface (CGI) programs in C,[11][12]
[13]
which he used to maintain his personal homepage. He extended them to work with web forms and to communicate
with databases, and called this implementation "Personal Home Page/Forms Interpreter" or PHP/FI.
PHP/FI could be used to build simple, dynamic web applications. To accelerate bug reporting and improve the code, Lerdorf
initially announced the release of PHP/FI as "Personal Home Page Tools (PHP Tools) version 1.0" on the Usenet discussion
group comp.infosystems.www.authoring.cgi on June 8, 1995.[14][15] This release already had the basic functionality that PHP has
today. This included Perl-like variables, form handling, and the ability to embed HTML. The syntax resembled that of Perl, but
was simpler, more limited and less consistent.[6]
Early PHP was not intended to be a new programming language, and grew organically, with Lerdorf noting in retrospect: "I don't
know how to stop it, there was never any intent to write a programming language [...] I have absolutely no idea how to write a
programming language, I just kept adding the next logical step on the way."[16] A development team began to form and, after
months of work and betatesting, officially released PHP/FI 2 in November 1997.
The fact that PHP was not originally designed, but instead was developed organically has led to inconsistent naming of
functions and inconsistent ordering of their parameters.[17] In some cases, the function names were chosen to match the lower-
level libraries which PHP was "wrapping",[18] while in some very early versions of PHP the length of the function names was
used internally as a hash function, so names were chosen to improve the distribution of hash values.[19]
Zeev Suraski and Andi Gutmans rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to
the recursive acronymPHP: Hypertext Preprocessor.[6][20] Afterwards, public testing of PHP 3 began, and the official launch came
in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend Engine in 1999.[21] They also
founded Zend Technologies in Ramat Gan, Israel.[6]
On May 22, 2000, PHP 4, powered by the Zend Engine 1.0, was released.[6] As of August 2008 this branch reached version
4.4.9. PHP 4 is no longer under development nor will any security updates be released.[22][23]
PHP 5[edit]
On July 14, 2004, PHP 5 was released, powered by the new Zend Engine II.[6] PHP 5 included new features such as improved
support for object-oriented programming, the PHP Data Objects (PDO) extension (which defines a lightweight and consistent
interface for accessing databases), and numerous performance enhancements.[24] In 2008 PHP 5 became the only stable
version under development. Late static binding had been missing from PHP and was added in version 5.3.[25][26]
Many high-profile open-source projects ceased to support PHP 4 in new code as of February 5, 2008, because of the GoPHP5
initiative,[27] provided by a consortium of PHP developers promoting the transition from PHP 4 to PHP 5.[28][29]
Over time, PHP interpreters became available on most existing 32-bit and 64-bit operating systems, either by building them
from the PHP source code, or by using pre-built binaries.[30] For the PHP versions 5.3 and 5.4, the only available Microsoft
Windows binary distributions were 32-bit x86 builds,[31][32] requiring Windows 32-bit compatibility mode while using Internet
Information Services (IIS) on a 64-bit Windows platform. PHP version 5.5 made the 64-bit x86-64 builds available for Microsoft
Windows.[33]
PHP 7[edit]
During 2014 and 2015, a new major PHP version was developed, which was numbered PHP 7. The numbering of this version
involved some debate.[40] While the PHP 6 Unicode experiment had never been released, several articles and book titles
referenced the PHP 6 name, which might have caused confusion if a new release were to reuse the name.[41] After a vote, the
name PHP 7 was chosen.[42]
The foundation of PHP is a PHP branch that was originally dubbed PHP next generation (phpng). It was authored by Dmitry
Stogov, Xinchen Hui and Nikita Popov,[43] and aimed to optimize PHP performance by refactoring the Zend Engine while
retaining near-complete language compatibility.[44] As of 14 July 2014, WordPress-based benchmarks, which served as the main
benchmark suite for the phpng project, showed an almost 100% increase in performance. Changes from phpng are also
expected to make it easier to improve performance in the future, as more compact data structures and other changes are seen
as better suited for a successful migration to a just-in-time (JIT) compiler.[45] Because of the significant changes, the reworked
Zend Engine is called Zend Engine 3, succeeding Zend Engine 2 used in PHP 5.[46]
Because of major internal changes in phpng, it must receive a new major version number of PHP, rather than a minor PHP 5
release, according to PHP's release process.[47] Major versions of PHP are allowed to break backward-compatibility of code and
therefore PHP 7 presented an opportunity for other improvements beyond phpng that require backward-compatibility breaks. In
particular, it involved the following changes:
Many fatal- or recoverable-level legacy PHP error mechanisms were replaced with modern object-oriented exceptions[48]
The syntax for variable dereferencing was reworked to be internally more consistent and complete, allowing the use of
the operators ->, [], (), {}, and :: with arbitrary meaningful left-hand-side expressions[49]
Support for legacy PHP 4-style constructor methods was deprecated[50]
The behavior of the foreach statement was changed to be more predictable[51]
Constructors for the few classes built-in to PHP which returned null upon failure were changed to throw an exception
instead, for consistency[52]
Several unmaintained or deprecated server application programming interfaces (SAPIs) and extensions were removed
from the PHP core, most notably the legacy mysql extension[53]
The behavior of the list() operator was changed to remove support for strings[54]
Support for legacy ASP-style PHP code delimiters (<% and %>, <script language=php> and </script>) was removed[55]
An oversight allowing a switch statement to have multiple default clauses was fixed[56]
Support for hexadecimal number support in some implicit conversions from strings to number types was removed[57]
The left-shift and right-shift operators were changed to behave more consistently across platforms[58]
Conversions between integers and floating point numbers were tightened and implemented more consistently across
platforms[58][59]
PHP 7 also included new language features. Most notably, it introduces return type declarations for functions [60] which
complement the existing parameter type declarations, and support for the scalar types (integer, float, string, and boolean) in
parameter and return type declarations.[61]
Release history[edit]
Key
Color Meaning Development
red Old release No development
yello
Stable release Security fixes
w
Gree
Stable release Bug and security fixes
n
Blue Future release New features
Supp
Vers Releas
orted Notes
ion e date
until[62]
8 June
1.0 Officially called "Personal Home Page Tools (PHP Tools)". This is the first use of the name "PHP".[6]
1995
1
Novem Officially called "PHP/FI 2.0". This is the first release that could actually be characterised as PHP,
2.0
ber being a standalone language with many features that have endured to the present day.
1997
20
Octob
6 June Development moves from one person to multiple developers. Zeev Suraski and Andi Gutmans rewrite
3.0 er
1998 the base for this version.[6]
2000[62
]
23
22 May June
4.0 Added more advanced two-stage parse/execute tag-parsing system called the Zend engine.[63]
2000 2001[62
]
10 12
Decem March
4.1 Introduced "superglobals" ( $_GET , $_POST , $_SESSION , etc.)[63]
ber 2002[62
2001 ]
6
Septe Disabled register_globals by default. Data received over the network is not inserted directly into
22 April
4.2 mber
2002 the global namespace anymore, closing possible security holes in applications.[63]
2002[62
]
27 31
Decem March
4.3 Introduced the command-line interface (CLI), to supplement the CGI.[63][64]
ber 2005[62
2002 ]
7
Augus
11 July Fixed a memory corruption bug, which required breaking binary compatibility with extensions compiled
4.4 t
2005 against PHP version 4.3.x.[65]
2008[62
]
24
24
Augus
Novem Performance improvements with introduction of compiler variables in re-engineered PHP Engine.
5.1 t
ber [66]
Added PHP Data Objects (PDO) as a consistent interface for accessing databases.[67]
2006[62
2005 ]
6
2
Janua
Novem
5.2 ry Enabled the filter extension by default. Native JSON support.[66]
ber
2011[62
2006 ]
31
28 Dece Constant scalar expressions, variadic functions, argument unpacking, new exponentiation operator,
5.6 August mber extensions of the usestatement for functions and constants, new phpdbg debugger as a SAPI
2014 2018[69 module, and other smaller improvements.[71]
]
Not
6.x released
N/A Abandoned version of PHP that planned to include native Unicode support.[72][73]
Zend Engine 3 (performance improvements[45] and 64-bit integer support on Windows[74]), uniform
variable syntax,[49] AST-based compilation process,[75] added Closure::call() ,[76] bitwise shift
3 consistency across platforms,[77] ?? (null coalesce) operator,[78] Unicode code point escape syntax,
3
Dece
Decem [79]
return type declarations,[60] scalar type (integer, float, string and boolean) declarations,
7.0 mber
ber [61]
<=> "spaceship" three-way comparison operator,[80] generator delegation,[81] anonymous classes,
2018[47
2015[2] ] simpler and more consistently available CSPRNG API,[83] replacement of many remaining internal
[82]
PHP "errors" with the more modern exceptions,[48] and shorthand syntax for importing multiple items
from a namespace.[84]
1
1
Dece
Decem
7.1 mber void return type,[85] class constant visibility modifiers[86]
ber
2019[69
2016 ]
30
30
Nove
Novem Object parameter and return type hint[87], Libsodium extension[88], Abstract method overriding[89],
7.2 mber
ber Parameter type widening[90]
2020[69
2017 ]
12 12
Decem Dece
ber mber Flexible Heredoc and Nowdoc syntax[92], support for references and array deconstruction with list()[93],
7.3
2018 2021 PCRE2 support[94], hrtime() function[95]
(Expect (Expe
ed)[91] cted)
Beginning on June 28, 2011, the PHP Group implemented a timeline for the release of new versions of PHP.[47] Under this
system, at least one release should occur every month. Once per year, a minor release should occur which may include new
features. Every minor release should at least be supported for two years with security and bug fixes, followed by at least one
year of only security fixes, for a total of a three-year release process for every minor release. No new features, unless small and
self-contained, are to be introduced into a minor release during the three-year release process.
Mascot[edit]
The mascot of the PHP project is the elePHPant, a blue elephant with the PHP logo on its side, designed by Vincent
Pontier[96] in 1998.[97] "The (PHP) letters were forming the shape of an elephant if viewed in a sideways angle."[98] The elePHPant
is sometimes differently colored when in plush toy form.
Many variations of this mascot have been made over the years. Only the elePHPants based on the original design by Vincent
Pontier are considered official by the community[99]. These are highly collectible and some of them are extremely rare. Different
variations are listed on A Field Guide to Elephpants.
Syntax[edit]
Main article: PHP syntax and semantics
<!DOCTYPE html>
<html>
<head>
<title>PHP Test</title>
</head>
<body>
<?php echo '<p>Hello World</p>'; ?>
</body>
</html>
However, as no requirement exists for PHP code to be embedded in HTML, the simplest version of Hello, World! may be written
like this, with the closing tag omitted as preferred in files containing pure PHP code[100]
<?='Hello world';
The PHP interpreter only executes PHP code within its delimiters. Anything outside its delimiters is not processed by PHP,
although non-PHP text is still subject to control structures described in PHP code. The most common delimiters are <?php to
open and ?> to close PHP sections. The shortened form <? also exists. This short delimiter makes script files less portable,
since support for them can be disabled in the local PHP configuration and it is therefore discouraged.[101][102] However, there is no
recommendation against the use of the echo short tag <?=.[103] Prior to PHP 5.4.0, this short syntax for echo() only works with
the short_open_tag configuration setting enabled, while for PHP 5.4.0 and later it is always available.[104][105][101] The purpose of all
these delimiters is to separate PHP code from non-PHP content, such as JavaScript code or HTML markup.[106]
The first form of delimiters, <?php and ?>, in XHTML and other XML documents, creates correctly formed XML processing
instructions.[107] This means that the resulting mixture of PHP code and other markup in the server-side file is itself well-formed
XML.
Variables are prefixed with a dollar symbol, and a type does not need to be specified in advance. PHP 5 introduced type
hinting that allows functions to force their parameters to be objects of a specific class, arrays, interfaces or callback functions.
However, before PHP 7.0, type hints could not be used with scalar types such as integer or string.[61]
Unlike function and class names, variable names are case sensitive. Both double-quoted ("") and heredoc strings provide the
ability to interpolate a variable's value into the string.[108] PHP treats newlines as whitespace in the manner of a free-form
language, and statements are terminated by a semicolon.[109] PHP has three types of comment syntax: /* */ marks block and
inline comments; // or # are used for one-line comments.[110] The echo statement is one of several facilities PHP provides to
output text, e.g., to a web browser.
In terms of keywords and language syntax, PHP is similar to the C style syntax. if conditions, for and while loops, and function
returns are similar in syntax to languages such as C, C++, C#, Java and Perl.
Data types[edit]
PHP stores integers in a platform-dependent range, either a 64-bit or 32-bit signed integer equivalent to the C-language long
type. Unsigned integers are converted to signed values in certain situations; this behavior is different from other programming
languages.[111] Integer variables can be assigned using decimal (positive and negative), octal, hexadecimal,
and binary notations.
Floating point numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two
forms of scientific notation.[112] PHP has a native Boolean type that is similar to the native Boolean types in Java and C++. Using
the Boolean type conversion rules, non-zero values are interpreted as true and zero as false, as in Perl and C++.[112]
The null data type represents a variable that has no value; NULL is the only allowed value for this data type.[112]
Variables of the "resource" type represent references to resources from external sources. These are typically created by
functions from a particular extension, and can only be processed by functions from the same extension; examples include file,
image, and database resources.[112]
Arrays can contain elements of any type that PHP can handle, including resources, objects, and even other arrays. Order is
preserved in lists of values and in hashes with both keys and values, and the two can be intermingled.[112] PHP also
supports strings, which can be used with single quotes, double quotes, nowdoc or heredoc syntax.[113]
The Standard PHP Library (SPL) attempts to solve standard problems and implements efficient data access interfaces and
classes.[114]
Functions[edit]
PHP defines a large array of functions in the core language and many are also available in various extensions; these functions
are well documented in the online PHP documentation.[115]However, the built-in library has a wide variety of naming conventions
and associated inconsistencies, as described under history above.
Custom functions may be defined by the developer, e.g.:
echo 'I am currently ' . myAge(1995) . ' old.'; // outputs the text concatenated
// with the return value of myAge()
// As the result of this syntax, myAge() is called.
In 2018, the output of the above sample program is 'I am currently 23 years old.'
In lieu of function pointers, functions in PHP can be referenced by a string containing their name. In this manner, normal PHP
functions can be used, for example, as callbacks or within function tables.[116] User-defined functions may be created at any time
without being prototyped.[115][116] Functions may be defined inside code blocks, permitting a run-time decision as to whether or not
a function should be defined. There is a function_exists function that determines whether a function with a given name has
already been defined. Function calls must use parentheses, with the exception of zero-argument class constructor functions
called with the PHP operator new, in which case parentheses are optional.
Until PHP 5.3, support for anonymous functions and closures did not exist in PHP. While create_function() exists since
PHP 4.0.1, it is merely a thin wrapper around eval() that allows normal PHP functions to be created during program
execution.[117] PHP 5.3 added syntax to define an anonymous function or "closure"[118] which can capture variables from the
surrounding scope:
function getAdder($x) {
return function($y) use ($x) {
return $x + $y;
};
}
$adder = getAdder(8);
echo $adder(2); // prints "10"
In the example above, getAdder() function creates a closure using passed argument $x (the keyword use imports a
variable from the lexical context), which takes an additional argument $y , and returns the created closure to the caller. Such a
function is a first-class object, meaning that it can be stored in a variable, passed as a parameter to other functions, etc.[119]
Unusually for a dynamically typed language, PHP supports type declarations on function parameters, which are enforced at
runtime. This has been supported for classes and interfaces since PHP 5.0, for arrays since PHP 5.1, for "callables" since PHP
5.4, and scalar (integer, float, string and boolean) types since PHP 7.0.[61] PHP 7.0 also has type declarations for function return
types, expressed by placing the type name after the list of parameters, preceded by a colon.[60] For example,
the getAdder function from the earlier example could be annotated with types like so in PHP 7:
$adder = getAdder(8);
echo $adder(2); // prints "10"
echo $adder(null); // throws an exception because an incorrect type was passed
$adder = getAdder([]); // would also throw an exception
By default, scalar type declarations follow weak typing principles. So, for example, if a parameter's type is int , PHP would
allow not only integers, but also convertible numeric strings, floats or booleans to be passed to that function, and would convert
them.[61] However, PHP 7 has a "strict typing" mode which, when used, disallows such conversions for function calls and returns
within a file.[61]
PHP Objects[edit]
Basic object-oriented programming functionality was added in PHP 3 and improved in PHP 4.[6] This allowed for PHP to gain
further abstraction, making creative tasks easier for programmers using the language. Object handling was completely rewritten
for PHP 5, expanding the feature set and enhancing performance.[120] In previous versions of PHP, objects were handled
like value types.[120] The drawback of this method was that code had to make heavy use of PHP's "reference" variables if it
wanted to modify an object it was passed rather than creating a copy of it. In the new approach, objects are referenced
by handle, and not by value.
PHP 5 introduced private and protected member variables and methods, along with abstract classes, final classes, abstract
methods, and final methods. It also introduced a standard way of declaring constructors and destructors, similar to that of other
object-oriented languages such as C++, and a standard exception handling model. Furthermore, PHP 5 added interfaces and
allowed for multiple interfaces to be implemented. There are special interfaces that allow objects to interact with the runtime
system. Objects implementing ArrayAccess can be used with arraysyntax and objects
implementing Iterator or IteratorAggregate can be used with the foreach language construct. There is no virtual table feature
in the engine, so static variables are bound with a name instead of a reference at compile time.[121]
If the developer creates a copy of an object using the reserved word clone , the Zend engine will check whether
a __clone() method has been defined. If not, it will call a default __clone() which will copy the object's properties. If
a __clone() method is defined, then it will be responsible for setting the necessary properties in the created object. For
convenience, the engine will supply a function that imports the properties of the source object, so the programmer can start with
a by-value replica of the source object and only override properties that need to be changed.[122]
The following is a basic example of object-oriented programming in PHP:
class Person
{
public $firstName;
public $lastName;
Implementations[edit]
The original, only complete and most widely used PHP implementation is powered by the Zend Engine and known simply as
PHP. To disambiguate it from other implementations, it is sometimes unofficially called "Zend PHP". The Zend
Engine compiles PHP source code on-the-fly into an internal format that it can execute, thus it works as an interpreter.[124][125] It is
also the "reference implementation" of PHP, as PHP has no formal specification, and so the semantics of Zend PHP define the
semantics of PHP. Due to the complex and nuanced semantics of PHP, defined by how Zend works, it is difficult for competing
implementations to offer complete compatibility.
PHP's single-request-per-script-execution model, and the fact the Zend Engine is an interpreter, leads to inefficiency; as a
result, various products have been developed to help improve PHP performance. In order to speed up execution time and not
have to compile the PHP source code every time the web page is accessed, PHP scripts can also be deployed in the PHP
engine's internal format by using an opcode cache, which works by caching the compiled form of a PHP script (opcodes)
in shared memory to avoid the overhead of parsing and compiling the code every time the script runs. An opcode cache, Zend
Opcache, is built into PHP since version 5.5.[126] Another example of a widely used opcode cache is the Alternative PHP
Cache (APC), which is available as a PECL extension.[127]
While Zend PHP is still the most popular implementation, several other implementations have been developed. Some of these
are compilers or support JIT compilation, and hence offer performance benefits over Zend PHP at the expense of lacking full
PHP compatibility. Alternative implementations include the following:
HHVM (HipHop Virtual Machine) – developed at Facebook and available as open source, it converts PHP code into a
high-level bytecode (commonly known as an intermediate language), which is then translated into x86-64 machine code
dynamically at runtime by a just-in-time (JIT) compiler, resulting in up to 6× performance improvements.[128]
Parrot – a virtual machine designed to run dynamic languages efficiently; Pipp transforms the PHP source code into
the Parrot intermediate representation, which is then translated into the Parrot's bytecode and executed by the virtual
machine.
Phalanger – compiles PHP into Common Intermediate Language (CIL) bytecode
Quercus – compiles PHP into Java bytecode
HipHop – developed at Facebook and available as open source, it transforms the PHP scripts into C++ code and then
compiles the resulting code, reducing the server load up to 50%. In early 2013, Facebook deprecated it in favor of HHVM
due to multiple reasons, including deployment difficulties and lack of support for the whole PHP language, including
the create_function() and eval() constructs.[129]
Licensing[edit]
PHP is free software released under the PHP License, which stipulates that:[130]
Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written
permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP"
instead of calling it "PHP Foo" or "phpfoo".
This restriction on use of "PHP" makes the PHP License incompatible with the General Public License (GPL), while the Zend
License is incompatible due to an advertising clause similar to that of the original BSD license.[131]
Use[edit]
A broad overview of the LAMP software bundle, displayed here together with Squid.
PHP is a general-purpose scripting language that is especially suited to server-side web development, in which case PHP
generally runs on a web server. Any PHP code in a requested file is executed by the PHP runtime, usually to create dynamic
web page content or dynamic images used on websites or elsewhere.[161] It can also be used for command-linescripting
and client-side graphical user interface (GUI) applications. PHP can be deployed on most web servers, many operating
systems and platforms, and can be used with many relational database management systems (RDBMS). Most web
hosting providers support PHP for use by their clients. It is available free of charge, and the PHP Group provides the complete
source code for users to build, customize and extend for their own use.[9]
PHP acts primarily as a filter,[162] taking input from a file or stream containing text and/or PHP instructions and outputting another
stream of data. Most commonly the output will be HTML, although it could be JSON, XML or binary data such as image or audio
formats. Since PHP 4, the PHP parser compiles input to produce bytecode for processing by the Zend Engine, giving improved
performance over its interpreter predecessor.[163]
Originally designed to create dynamic web pages, PHP now focuses mainly on server-side scripting,[164] and it is similar to other
server-side scripting languages that provide dynamic content from a web server to a client, such as Microsoft's ASP.NET, Sun
Microsystems' JavaServer Pages,[165] and mod_perl. PHP has also attracted the development of many software
frameworks that provide building blocks and a design structure to promote rapid application development (RAD). Some of these
include PRADO, CakePHP, Symfony, CodeIgniter, Laravel, Yii Framework, Phalcon and Zend Framework, offering features
similar to other web frameworks.
The LAMP architecture has become popular in the web industry as a way of deploying web applications.[166] PHP is commonly
used as the P in this bundle alongside Linux, Apache and MySQL, although the P may also refer to Python, Perl, or some mix
of the three. Similar packages, WAMP and MAMP, are also available for Windows and OS X, with the first letter standing for the
respective operating system. Although both PHP and Apache are provided as part of the Mac OS X base install, users of these
packages seek a simpler installation mechanism that can be more easily kept up to date.
As of April 2007, over 20 million Internet domains had web services hosted on servers with PHP installed and mod_php was
recorded as the most popular Apache HTTP Server module.[167] As of June 2018, PHP was used as the server-side
programming language on 83.5% of websites where the language could be determined.[168] Web content management
systems written in PHP include MediaWiki,[169] Joomla,[170] eZ Publish, eZ Platform, SilverStripe,[171] WordPress,[172] Drupal,
[173]
and Moodle.[174] Websites written in PHP, in back-end and/or user-facing portion, include Facebook,[175] Digg,[176] Tumblr,
[177]
Dailymotion,[178] and Slack.[179]
For specific and more advanced usage scenarios, PHP offers a well defined and documented way for writing custom extensions
in C or C++.[180][181][182][183][184][185][186] Besides extending the language itself in form of additional libraries, extensions are providing a
way for improving execution speed where it is critical and there is room for improvements by using a true compiled language.[187]
[188]
PHP also offers well defined ways for embedding itself into other software projects. That way PHP can be easily used as an
internal scripting language for another project, also providing tight interfacing with the project's specific internal data structures.
[189]
PHP received mixed reviews due to lacking support for multithreading at the core language level,[190] though using threads is
made possible by the "pthreads" PECL extension.[191][192]
As of January 2013, PHP was used in more than 240 million websites (39% of those sampled) and was installed on 2.1
million web servers.[193]
A command line interface, php-cli, and two ActiveX Windows Script Host scripting engines for PHP have been produced.
Security[edit]
In 2017, 3% of all vulnerabilities listed by the National Vulnerability Database were linked to PHP;[194] historically, about 30% of
all vulnerabilities listed since 1996 in this database are linked to PHP. Technical security flaws of the language itself or of its
core libraries are not frequent (22 in 2009, about 1% of the total although PHP applies to about 20% of programs listed).
[195]
Recognizing that programmers make mistakes, some languages include taint checking to automatically detect the lack
of input validation which induces many issues. Such a feature is being developed for PHP,[196] but its inclusion into a release has
been rejected several times in the past.[197][198]
There are advanced protection patches such as Suhosin and Hardening-Patch, especially designed for web hosting
environments.[199]
Historically, old versions of PHP had some configuration parameters and default values for such runtime settings that made
some PHP applications prone to security issues. Among these, magic_quotes_gpc and register_globals[200] configuration
directives were the best known; the latter made any URL parameters become PHP variables, opening a path for serious
security vulnerabilities by allowing an attacker to set the value of any uninitialized global variable and interfere with the
execution of a PHP script. Support for "magic quotes" and "register globals" settings has been deprecated as of PHP 5.3.0, and
removed as of PHP 5.4.0.[201]
Another example for the potential runtime settings vulnerability comes from failing to disable PHP execution (e.g.
via engine configuration directive)[202] for the directory where uploaded files are stored; enabling it can result in execution of
malicious PHP code embedded within the uploaded files, e.g. when allowing users to upload images.[203][204][205] The best practice
is to either locate the image directory outside of the document root available to the web server and serve it via intermediary
script, or disable PHP execution for the directory which stores the uploaded files.
Also, enabling the dynamic loading of PHP extensions (via enable_dl configuration directive)[206] in a shared web
hosting environment can lead to security issues.[207][208]
Implied type conversions that result in different values being treated as equal, sometimes against the programmer's intent, can
lead to security issues. For example, the result of the comparison 0e1234 == 0 is true , because the first compared value is
treated as scientific notation having the value (0×101234), i.e. zero. Errors like this resulted in authentication vulnerabilities
in Simple Machines Forum,[209] Typo3[210] and phpBB[211] when MD5 password hashes were compared. The recommended way is
to use hash_equals() (for timing attack safety), strcmp or the identity operator ( === ), as 0e1234 === 0 results in false .[212]
In a 2013 analysis of over 170,000 website defacements, published by Zone-H, the most frequently (53%) used technique was
exploitation of file inclusion vulnerability, mostly related to insecure usage of the PHP functions include, require,
and allow_url_fopen.