All the Easter Eggs in PHP

Published On30 Sep 2022

All the Easter Eggs in PHP

PHP used to pack quite a few Easter Eggs back in the day. Until PHP 5.5, calling a URL with a special string returned various bits of PHP information and images such as the PHP logo, credits, Zend Engine logo, and a quirky PHP Easter Egg logo.

  • PHP Logo
  • PHP Credits
  • Zend Engine logo
  • PHP Logo Easter Egg

In addition to the special URLs, Colin Viebrock made a change back in 2000 so that the standard PHP logo shown in the phpinfo() output changes to the Easter Egg logo only on April 1st.

Calling PHP web site URLs with query parameters above revealed a lot of information about the PHP version the sites were running, opening information disclosure vulnerabilities unless the sites were configured with expose_php=off PHP INI directive. There were hundreds of questions on StackOverflow and hundreds of blog posts and articles on turning off these URLs. The unexpected outcome of this was that attackers could target PHP web sites en-masse by snooping on the exact PHP version web sites use.

These magic URLs were removed in PHP 5.5 and those special URLs no longer have any special functionality. However, even to this date, PHP continues its last Easter Egg in its phpinfo() page.

In phpinfo() output, there is a special PHP logo visible only on April 1st.

phpinfo() pages reveal a lot of information about the PHP setup, and should not be visible outside visitors of a web site. The last of PHP Easter Eggs are placed in the Top right logo section of the phpinfo() HTML output.

Normal phpinfo header
Standard phpinfo PHP logo header

Normal phpinfo header
PHP Logo with an ElePHPant only on April 1st

The April 1st PHP logo shown above has not always been the same. Occasionally, PHP developers change the logo with a new fun and quirky logo.

Here are all the Easter Egg logos PHP had from the beginning:

Logo PHP Version Description
PHP 4.2 Easter Egg Logo PHP 4.0 Thies C. Arntzen
PHP 4.0 Easter Egg Logo PHP 4.3 Stig Bakken's dog named "Nadia"
PHP 5.0 Easter Egg Logo PHP 4.4 Zeev Surask's dog named "Scotch"
PHP 5.4 Easter Egg Logo PHP 5.1
PHP 5.5 Easter Egg Logo PHP 5.3
PHP 5.6 Easter Egg Logo PHP 5.6
PHP 7 Easter Egg Logo PHP 7.0 to 7.4 Featuring a PHP 7 ElePHPant, by Andrea Faulds
PHP 8 Easter Egg Logo PHP 8.0 to current Featuring InPHPinity, by Noriko Yamamoto

Expires: Thu, 19 Nov 1981 08:52:00 GMT

PHP's session extension sends an Expires HTTP header with value Thu, 19 Nov 1981 08:52:00 GMT when the session cookie expiration date needs to be in the past (which essentially invalidates the cookie).

This seemingly random number is actually the birthday of Sascha Schumann, who worked on that part of the code at the time.

Recent Articles on PHP.Watch

All ArticlesFeed 
How to fix `mysql_native_password` not loaded errors on MySQL 8.4

How to fix mysql_native_password not loaded errors on MySQL 8.4

How to fix the SQLSTATE[HY000] [1524] Plugin 'mysql_native_password' is not loaded errors caused in MySQL 8.4 no longer enabling the mysql_native_password plugin by default.
How to fix PHP Curl HTTPS Certificate Authority issues on Windows

How to fix PHP Curl HTTPS Certificate Authority issues on Windows

On Windows, HTTPS requests made with the Curl extension can fail because Curl has no root certificate list to validate the server certificates. This article discusses the secure and effective solutions, and highlights bad advice that can leave PHP applications insecure.
AEGIS Encryption with PHP Sodium Extension

AEGIS Encryption with PHP Sodium Extension

The Sodium extension in PHP 8.4 now supports AEGIS-128L and AEGIS256 Authenticated Encryption ciphers. They are significantly faster than AES-GCM and CHACHA20-POLY1305. This article benchmarks them and explains how to securely encrypt and decrypt data using AEGIS-128L and AEGIS256 on PHP.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.