All the Easter Eggs in PHP
PHP used to pack quite a few Easter Eggs back in the day. Until PHP 5.5, calling a URL with a special string returned various bits of PHP information and images such as the PHP logo, credits, Zend Engine logo, and a quirky PHP Easter Egg logo.
https://example.com/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP Logo
https://example.com/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP Credits
https://example.com/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: Zend Engine logo
https://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP Logo Easter Egg
Calling PHP web site URLs with query parameters above revealed a lot of information about the PHP version the sites were running, opening information disclosure vulnerabilities unless the sites were configured with
expose_php=off PHP INI directive. There were hundreds of questions on StackOverflow and hundreds of blog posts and articles on turning off these URLs. The unexpected outcome of this was that attackers could target PHP web sites en-masse by snooping on the exact PHP version web sites use.
These magic URLs were removed in PHP 5.5 and those special URLs no longer have any special functionality. However, even to this date, PHP continues its last Easter Egg in its
phpinfo()output, there is a special PHP logo visible only on April 1st.
phpinfo() pages reveal a lot of information about the PHP setup, and should not be visible outside visitors of a web site. The last of PHP Easter Eggs are placed in the Top right logo section of the
phpinfo() HTML output.
The April 1st PHP logo shown above has not always been the same. Occasionally, PHP developers change the logo with a new fun and quirky logo.
Here are all the Easter Egg logos PHP had from the beginning:
|Thies C. Arntzen
|Stig Bakken's dog named "Nadia"
|Zeev Surask's dog named "Scotch"
|PHP 7.0 to 7.4
|Featuring a PHP 7 ElePHPant, by Andrea Faulds
|PHP 8.0 to current
|Featuring InPHPinity, by Noriko Yamamoto
Expires: Thu, 19 Nov 1981 08:52:00 GMT
PHP's session extension sends an
Expires HTTP header with value
Thu, 19 Nov 1981 08:52:00 GMT when the session cookie expiration date needs to be in the past (which essentially invalidates the cookie).
This seemingly random number is actually the birthday of Sascha Schumann, who worked on that part of the code at the time.