The PHP development team announces the immediate availability of PHP 5.3.11 and PHP 5.4.1. These releases focuses on improving the stability of the current PHP branches with over 60 bug fixes, some of which are security related. [...] For a full list of changes in PHP 5.3.11 and PHP 5.4.1, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. All users of PHP are strongly encouraged to upgrade to PHP 5.3.11 or PHP 5.4.1.

Several bugs were fixed in both releases including issues with validation of the name of the uploaded file, adding open_basedir checks to readline_write_history/readline_read_history, and the addition of debug info handler to DOM objects.

So with PHP 5.3 upgrade underway (and PHP 5.4 out of the door now!) I thought it's time to prepare for PHP 5.4 and make sure we're compatible. So by looking at Wim Godden's PHP53Compatibility code sniffs I have created a base for PHP 5.4 sniffs that we want to use to make sure we're compatible.

Sniffs included in set are:

• PHP54Compatibility_Sniffs_PHP_BreakContinueVarSyntaxSniff
• PHP54Compatibility_Sniffs_PHP_DeprecatedFunctionsSniff

You can grab this custom set of sniffs either from his github repository or from his personal PEAR channel if you'd rather install it that way (alpha channel).

This was a great security fix, solving an issue with insecure passwords due to incorrect behavior. HOWEVER, what wasn't made clear, is that this change was actually a backwards compatibility break. If you upgraded to 5.3.7+ data hashed pre-5.3.7 would no longer match data hashed post-5.3.7; this means if you use it for passwords, it will no longer match. So what's the deal here?

He talks about the differences in the two methods of encryption, the newer being the "more correct" way of doing things. If you need the backwards compatibility because of previously hashed values, you can use the "$2x$" prefix instead of the usual "$2a$". He includes a snippet of code that can be used to upgrade all of your previously hashed blowfish passwords up to the new format.

In PHP and several other languages used to implement Web applications, arrays are used to store the values of request variables such as $_GET, $_POST, $COOKIE, etc.. IF you receive a request with a large number of request values, until recent versions PHP may run into trouble.

He goes on to explain why there's an issue with the array overloading and what PHP has done in recent releases to help correct the issue - the max_input_vars setting in the php.ini. He also points out that this is not a new issue - it was originally identified back in 2003 (with a video of the original presentation). He points out that the most recent releases of the PHP language have this fix in them and, if at all possible, you should upgrade to protect your applications.

Due to unfortunate issues with 5.3.7 (see bug#55439) users should wait with upgrading until 5.3.8 will be released (expected in few days).

The issue causes the crypt() function to only return the (MD5-only) salt it was given instead of the correctly hashed string. If you need to replace this immediately, you can pull the latest from the snaps site (or binaries for Windows). Keep an eye out for PHP 5.3.8 in the near future.

It's amazing that we are even having this type of discussion. We opted to use Symfony back in 0.x for some high traffic projects. [...] And now here we are on 1.4. Content and happy with the throughput the dev team is able to maintain. But now Symonfy says that 2.0 will be released and is completely different than 1.x? How is that fair to the companies, individuals, and hobbyists who have sunk time over the last four years ramping up to a point where we can take advantage of RAD (rapid app development) approach that Symfony provides?

He wonders if this same discussion will be being had years down the line when Symfony3 decides to come up on the horizon. Will there be such a major change in the architecture that developers, only a few years earlier making the major change to to Symfony2, will get burnt again?

The WinCache extension 1.1 for PHP has been released last year. Since then several customers reported a bug in the extension that prevents WordPress and other PHP applications from performing automatic upgrades or their plugins. This was reported on WordPress forum as well as on WinCache forum. The new build of WinCache with the fix for this problem is available now at the following location: https://sourceforge.net/projects/wincache/files/development/

He asks for feedback if things still don't work - either as a comment in the WinCache forum or as a bug to the PECL database. This will help them improve the support in future releases and make it even easier for those running WordPress on Windows to keep their sites running smoothly.

It was just a few months ago that the CodeIgniter community began to explode with a torrent of frustration that CodeIgniter simply wasn't progressing as a framework. There were also a few prominent developers considering abandoning the framework in favour of more active alternatives. [...] Before we go patting ourselves on the back, and heralding the reactor as a great success, there's a much wider question we need to look at: 'Are people actually upgrading?'.

He notes that, based on his experiences, people don't seem to be upgrading to this latest release and that several people still see Reactor as a "beta" and not a viable upgrade alternative. He suggests three things he think could help - a good upgrade guide, a stop of support in libraries for non-Reactor codebases and encouragement to use mercurial more (cloning the repo).

Now that PHP 5.2 is at the end of life, we are starting to migrate to PHP 5.3.

Things he mentions are:

• The deprecation of session_register
• The change of creating a new object by reference
• Other deprecated functions listed here
• His commands to upgrade his Zend Server instance from 5.2 to 5.3

So you or your team has built anywhere between 5 and 500 projects in PHP 4, 5.1 and 5.2 over the past 5 years. And now PHP 5.3 is there, offering a lot of very interesting features, including namespace support, late static binding (finally !), closures, nested exceptions and a bunch more (see the new feature list). So naturally, you'd like to upgrade. But doing so might break some old code.

He suggests a few different options - just run your unit tests and hope for the best, test the application's code directly or, his preference, run compatibility tests with the help of PHP_CodeSniffer and this new sniff he created. The sniff finds things like deprecated functions hanging around from pre-5.3 times as a part of a subset that the code sniffer can easily find.