Question:

My developer tells me that the Chilkat extension uses an insecure function dl(), which has not only been deprecated since PHP 5.3, but has actually been removed from some server installations of PHP, due to major security issues.

Is this something that you’re aware of? Is there a workaround? Is there an updated extension coming at some point?

Answer:

The answer is Yes and No.   The call to dl() is contained in the chilkat_9_5_0.php, but it’s there as a fallback and is normally not called.

The Chilkat PHP extension has two parts: (1) the chilkat_9_5_0.php, and (2) the shared lib/DLL, such as chilkat_9_5_0.so or chilkat_9_5_0.dll

Normally both the .php and .so/.dll are installed in the PHP extensions directory, and the php.ini is updated to add the line:

extension=chilkat_9_5_0.so

The chilkat_9_5_0.php contains the following at the very beginning:

// Try to load our extension if it's not already loaded.
if (!extension_loaded('chilkat_9_5_0')) {
  if (strtolower(substr(PHP_OS, 0, 3)) === 'win') {
    if (!dl('php_chilkat_9_5_0.dll')) return;
  } else {
    // PHP_SHLIB_SUFFIX gives 'dylib' on MacOS X but modules are 'so'.
    if (PHP_SHLIB_SUFFIX === 'dylib') {
      if (!dl('chilkat_9_5_0.so')) return;
    } else {
      if (!dl('chilkat_9_5_0.'.PHP_SHLIB_SUFFIX)) return;
    }
  }
}

If the PHP extension was installed to the extensions directory (as I described above) and the line was added to the php.ini, then the Chilkat extension is already loaded when PHP starts and the dl() function is not called. The above chunk of code only calls dl() when the Chilkat extension has not been “installed” to the PHP extensions directory and added to the php.ini file.