These can offer significant performance gains by caching the compiled form of a PHP script in
shared memory to avoid the overhead of parsing and compiling the code every time the script
runs.
The National Vulnerability Database stores all vulnerabilities found in computer software. The
overall proportion of PHP-related vulnerabilities on the database amounted to: 12% in 2003, 20%
in 2004, 28% in 2005, 43% in 2006, 36% in 2007, and 35% in 2008. Most of these PHP-related
vulnerabilities can be exploited remotely: they allow hackers to steal or destroy data from data
sources linked to the webserver (such as an SQL database), send spam or contribute to DOS
attacks using malware, which itself can be installed on the vulnerable servers.
These vulnerabilities are caused mostly by not following best practice programming rules:
technical security flaws of the language itself or of its core libraries are not frequent. Recognizing
that programmers cannot be trusted, some languages include taint checking to detect automatically
the lack of input validation which induces many issues. Such a feature is being developed for PHP.
Although it may be included in mainstream PHP in a future release, its inclusion has been rejected
several times in the past.
Hosting PHP applications on a server requires a careful and constant attention to deal with these
security risks. There are advanced protection patches such as Suhosin and Hardening-Patch,
especially designed for web hosting environments. Installing PHP as a CGI binary rather than as
an Apache module is the preferred method for added security.
With respect to securing the code itself, PHP code can be obfuscated to make it difficult to read
while remaining functional.
Syntax-highlighted PHP code embedded within HTMLPHP only parses code within its delimiters.
Anything outside its delimiters is sent directly to the output and is not parsed by PHP. The most
common delimiters are <?php and ?>, which are open and close delimiters respectively. <script
language="php"> and </script> delimiters are also available. Short tags can be used to start PHP
code, <? or <?= (which is used to echo back a string or variable) and the tag to end PHP code, ?>.
These tags are commonly used, but like ASP-style tags (<% or <%= and %>), they are less
portable as they can be disabled in the PHP configuration. For this reason, the use of short tags
and ASP-style tags is discouraged. The purpose of these delimiters is to separate PHP code from
non-PHP code, including HTML.
Variables are prefixed with a dollar symbol and a type does not need to be specified in advance.
Unlike function and class names, variable names are case sensitive. Both double-quoted ("") and
heredoc strings allow the ability to embed a variable's value into the string. PHP treats newlines as
whitespace in the manner of a free-form language (except when inside string quotes), and
statements are terminated by a semicolon. PHP has three types of comment syntax: /* */ serves as
block comments, and // as well as # are used for inline comments. The echo statement is one of
several facilities PHP provides to output text (e.g. to a web browser).
In terms of keywords and language syntax, PHP is similar to most high level languages that
follow the C style syntax. If conditions, for and while loops, and function returns are similar in
syntax to languages such as C, C++, Java and Perl.
PHP stores whole numbers in a platform-dependent range. This range is typically that of 32-bit
signed integers. Unsigned integers are converted values in certain situations; this behavior is
different from other programming languages.Integer variables can be assigned using decimal
(positive and negative), octal, and hexadecimal notations. Floating point numbers are also stored