The PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13 The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack. PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

Users are encouraged to upgrade their applications, especially those using CGI-based setups. You can find the latest source on the downloads page and the Windows binaries on windows.php.net.

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states: 'Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.'

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

You can download this latest version from the downloads page for the source releases or windows.php.net for the Windows binaries. You can look at the Changelog if you'd like more details on the update.

The PHP development team announces the immediate availability of PHP 5.3.11 and PHP 5.4.1. These releases focuses on improving the stability of the current PHP branches with over 60 bug fixes, some of which are security related. [...] For a full list of changes in PHP 5.3.11 and PHP 5.4.1, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. All users of PHP are strongly encouraged to upgrade to PHP 5.3.11 or PHP 5.4.1.

Several bugs were fixed in both releases including issues with validation of the name of the uploaded file, adding open_basedir checks to readline_write_history/readline_read_history, and the addition of debug info handler to DOM objects.

The PHP development team would like to announce the 8th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION! This is the 8th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

Improvements in this release include bugfixes for an issues with htmlspecialchars/htmlentities as well as improving on the "max_input_vars" configuration setting to work better with nested variables. You can find the full list of changes in the NEWS file and download the release for testing from the QA site (Windows binaries).

The PHP development team announces the 6th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. [...] The 6th release candidate focused on improving traits. Please test them carefully and help us to identify bugs in order to ensure that the release is solid and all things behave as expected.

You can download this latest release from the PHP QA site (Windows binaries) and test it on your local instance/applications. Any and all feedback about issues should be reported to either the QA mailing list or on the bug tracker. A complete list of updates is available in the NEWS file.

The PHP development team would like to announce the immediate availability of PHP 5.3.9. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Bugfixes and updates in this release include the max_input_vars directive, an autoloading issue with is_a and changes to the FPM SAPI module. You can see the full list of changes here or just go over and download this latest release and get to installing - source, Windows binaries.

The PHP development team announces the 5th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

Bugs fixed in this version include a few to the Core, SAPI/CLI SAPI, PHP-FPM support and improvements to the session extension. Download and test out this latest version on your systems - the more feedback they receive the better! You can report issues you might find on the PHP bug tracker.

The PHP development team is proud to announce the third release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the third release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

Major changes include the introduction of UTS #46 mapping support in the intl extension and the inclusion of SERVER_NAME and SERVER_PORT into the $_SERVER superglobal for CLI. You can find more changes listed in the NEWS file and can download the latest from the PHP.net site (or your favorite mirror): source, Windows binaries.

Stopping development for weeks while you figure out how to add unit tests to cover your entire codebase is simply something that cannot be done (at least, not if you want to keep your job), no matter what future benefits it might bring. The good news is, adding unit testing to your existing project only takes five minutes - which is pretty much how long it takes to get a unit testing framework installed. That's it. Move on.

He puts the emphasis on unit testing to manage change in a code base, not so much to ensure that the current application runs as it should (not initially at least). He's found them most useful in bugfixing, refactoring and when adding new functionality. Current tests (and even tests written in TDD) can help with all of these. He includes reminders that if the tests aren't written well, they're useless and that once you've started testing, it needs to be continuous, even if they're not perfect.

The PHP development team would like to announce the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Security fixes in this release include updates to crypt_blowfish() and a buffer overflow in crypt(). Enhancements include the fixes for several bugs including ones related to crashing due to internal errors, iterator fixes, sockets, ini settings and more. You can find the full list of changes in the Changelog for this release.

You can download the latest source from the downloads page or, for Windows users, the binaries.