The PHP project has released another update to both the 5.3.x and 5.4 revisions of the language correcting the bug that was found dealing with a flaw in CGI-based setups.

The PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13 The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack. PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

Users are encouraged to upgrade their applications, especially those using CGI-based setups. You can find the latest source on the downloads page and the Windows binaries on windows.php.net.

The PHP project has officially released the latest versions in both the 5.3.x and 5.4.x series in response to a bug that was found in the CGI setup of certain server+PHP configurations.

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states: 'Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.'

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

You can download this latest version from the downloads page for the source releases or windows.php.net for the Windows binaries. You can look at the Changelog if you'd like more details on the update.

In this new post Wojciech Sznapka shows you how to can set up an Apache Ant deployment for a basic Symfony2 application - including installation of vendor packages and assets.

When you have plenty of Symfony2 applications and you need to deploy them from time to time, you are probably sick of thinking about every activity you need to do for every deploy. Often people use some build scripts, which are hard to maintain and tends to be unreadable. I wanted to automate it as much as it possible and I've choosen Ant, to help me out.

An example build.xml file is included in the post that shows how to:

• Pull the current code from git
• Install vendor packages
• Fix permissions for the log and cache directories
• Clean up the cache
• Dump/install any additional assets

Joshua Thijssen has a new post to his blog today about a feature of the upcoming PHP 5.4 release, the built-in web server, and a handy way to reproduce .htaccess functionality with the help of a simple PHP script - htrouter.

The problem with the new PHP 5.4 internal web-server is that it isn't Apache. Thus it does not know anything about .htaccess. Even when you have defined your .htaccess to do authentication, the internal PHP web-server will ignore it, while in production, the authentication will be needed (if you will be running Apache, of course). Also, you need to reroute everything manually through your app_dev.php, so your URL's don't really match the way they will be on your production.

He introduces the PHP web server quickly, just showing a sample command line call to start it up and to point it at a certain PHP file as a "boostrap". With the help of his htrouter script, though, you can use "modules" similar to those in Apache. He already has the HTTP auth stuff working and more is to come.

Robert Basic has a recent post showing you how to use the "cookie jar" functionality included with Apache's "ab" benchmarking tool to get behind your PHP-based login with a simple curl and grep combo.

Tonight I decided to relax a bit and what better way of relaxing is there for a geek then to do some bash scripting?! So for fun and no profit I decided to try and benchmark pages with ab, Apache HTTP server benchmarking tool, which are behind a login. Turns out, it's pretty easy after reading some man pages.

He includes an example of the format of the "cookie jar" and the shell script he used to grab the PHP session ID from it and inject it into the "ab" call. The script is on github.

On NetTuts.com today there's a new tutorial helping you get started with Zend Framework "from scratch". They outline the full process - from download to the creation of a first application.

Ready to take your PHP skills to the next level? In this new "From Scratch" series, we'll focus exclusively on Zend Framework, a full-stack PHP framework created by Zend Technologies. First in our tutorial series, is "Getting Started with Zend Framework."

The tutorial (executed in a Windows environment) is broken up into seven parts:

• Download Zend Framework
• Set up your Zend Framework Environment
• Create your First Zend Framework Project
• Learn about Zend Framework's MVC Structure
• Pass Data From a Controller to its View
• Create a Layout in Zend Framework
• Create New Controllers and Actions

They use the Windows version of Apache to host the site (installation instructions not included). If you'd like to get the source for this tutorial series as it evolves, you can find it on github.

On the ServerGrove blog today there's a new post from Ishmael about setting up multiple versions of PHP on one Apache instance with the help of FastCGI.

There are several reasons you might need to run multiple versions of PHP on the same server. Maybe you have a PHP 5.2 application running on your server and you need to start working on another application based on a new framework like Symfony2 or Lithium? Perhaps you haver a client with a legacy site that runs PHP 5.2, or maybe you simply want to test some of the new functionality? This post is going to explain how to setup a server to run multiple versions of PHP.

Normally, Apache can only be compiled with one version of PHP, but FastCGI gets around that by letting you define it in a configuration file instead. They also include support for defining the user the process runs as (suexec) that helps to make permissions issues lesser. Included are all of the command-line calls and config settings you'll need to make to get things set up.

Pim Elshoff has a recent post to his blog looking at a "kickass development environment" he's gotten working on Windows that includes PEAR, some type of version control (git or svn - take your pick), Ant for builds and Jenkins for continuous integration.

Recently I have become quite interested in quality assurance. Not that many things are going wrong for me, but I'd really like to be more certain about the quality of my work. I've used some tools to help me achieve just that. In less than two hours you can set up your workspace and have the living daylights automated out of you!

He provides a full guide to getting the full stack set up including the command-line calls you'll need to make, creating a new build file for Ant and setting up the PHP tools (like Phpmd, DocBlox and Pdepend). In the end, you should see something similar to this setup in your Jenkins build.

Rob Allen has posted his own guide to getting PHP 5.3 set up on OS X 10.7 Lion, the just-released update for Apple's operating system. It comes with a bundled set of PHP-related tools but you might want to set them up your own way. This is where the guide comes in.

With OS X 10.7, Apple continues to ship PHP 5.3 with PEAR, GD and PDO_MYSQL out of the box. This is how to set it up from a clean install of 10.7.

He goes through each of the pieces of software and talks about where to download the latest from and what configuration steps are needed:

• MySQL
• Apache
• the php.ini
• Xdebug
• PEAR
• PHPUnit (and friends)
• PECL OAuth
• mcrypt

Shay Ben Moshe has a new post to his blog today looking at some of the benefits that using the persistent connections offered in PDO can have on your application.

PDO is an abstraction layer for database connections in PHP, and it became increasingly popular in the past few years. PDO gives us the option to use a persistent connection. If we don't use this option, a new connection is created for each request. If we do use this option, the connection is not closed at the end of the script, and it is then re-used by other script requests.

He shares the setup for his testing (hardware and MySQL configuration) and some of the results from his tests using the Apache ab tool for making web requests against an application. You'll need to download the archived file to see the results, though. It also includes the files he used to test with, comparing regular connections to the persistent ones.