From 2c995e57aada3385bf9123b9bd11acb542e1b021 Mon Sep 17 00:00:00 2001
From: Jim Winstead <jimw@trainedmonkey.com>
Date: Sat, 21 Dec 2024 18:01:11 -0800
Subject: [PATCH] Add warnings to use `php_sapi_name()` to test when running as
 CLI

---
 features/commandline.xml               | 10 ++++++++++
 language/predefined/variables/argv.xml |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/features/commandline.xml b/features/commandline.xml
index 47856477d818..d228c2ce2e00 100644
--- a/features/commandline.xml
+++ b/features/commandline.xml
@@ -182,6 +182,16 @@
            also be found in the <varname>$_SERVER</varname> array, for example:
            <varname>$_SERVER['argv']</varname>.
           </para>
+          <warning>
+           <simpara>
+            If a PHP script can be run via the command line or through another SAPI,
+            <function>php_sapi_name</function> should be used to check whether the
+            script is being run from the command line and <varname>$argv</varname>
+            is safe to use, otherwise arbitrary arguments may be passed to the
+            script via other SAPIs depending on how
+            <link linkend="ini.register-argc-argv">register_argc_argv</link> is set.
+           </simpara>
+          </warning>
           </entry>
          </row>
          <row>
diff --git a/language/predefined/variables/argv.xml b/language/predefined/variables/argv.xml
index d20bb41dc2ee..06ac25003610 100644
--- a/language/predefined/variables/argv.xml
+++ b/language/predefined/variables/argv.xml
@@ -25,6 +25,14 @@
     is disabled.
    </simpara>
   </note>
+  <warning>
+   <simpara>
+    To test if a script is being run from the command
+    line, <function>php_sapi_name</function> should be used
+    instead of checking whether <varname>$argv</varname> or
+    <varname>$_SERVER['argv']</varname> is set.
+   </simpara>
+  </warning>
  </refsect1>
  
  <refsect1 role="examples">