On the PHPClasses.org blog there's a new post detailing an issue that came up in the PHP 5.3.9 release that caused a large security issue (PHP 5.3.10 has, however, already been released to correct the issue).

PHP 5.3.9 release was mostly meant to fix a security bug, but it introduced a new more serious bug. PHP 5.3.10 was just released to fix this issue. [...] This time it is a bug that allows arbitrary remote code execution. This means that it allows to run arbitrary code on the server, injected by an eventual attacker, so it can be used to cause many types of damage inside a server.

The upgrade to PHP 5.3.10 is highly recommended to prevent this issue from effecting your applications. The post also mentions the dropping of Suhosin support (a security plugin for PHP) on the Debian linux distribution's default installation and how the PHP community has reacted to the decision.

Chris Hartjes ran into an issue with hit unit tests where PHPUnit was throwing an "aborted" error no matter what tests were run. Thankfully, in this new post, he shares a solution.

That was a pretty annoying bug. I never did find out what the problem was as I moved onto other problems and chalked that error up to some undiagnosed weirdness on that particular server. From time to time I would get asked on Twitter if I had ever solved the problem. My answer was always "no, and if you do solve it please let met know how you fixed it." Today, my friends, was the day.

Based on a response from Demian Katz, he was able to get around the issue with flag set on the PHPUnit command line - "-dzend.enable_gc=0". Apparently the issue has to do with garbage collection and has been a known issue since the beginning of 2011.

Christian Stocker has a quick new post on the Liip blog today about an easy way to test the PHP 5.4 beta on your OS X-based platform with a simple package install and symlink.

Since the first beta of the next major release of PHP was released a few days ago, I thought we could provide packages for people who'd like to test it and see if there software is still running. And make adjustments or report bugs, if it doesn't. Complaining after the official stable release was made is usually too late, so testing your software against beta releases is very important. For your project and for PHP.

The install involves grabbing their package from the Liip server and calling the "packager.py" executable to make the version swap. You can go back to the pre-installed PHP5 version anytime by updating the symlink back. If you want more information on the package (or to report bugs) you can find the project over in github.

New from the rooJSolutions blog there's a post pointing out an issue that PHP 5.3.7 has broken the is_a functionality in a lot of cases. The post talks some about what's broken and how you can work around it if you're effected.

The key issue was that 5.3.7 accidentally broke is_a() for a reasonably large number of users. Unfortunately the fixup release 5.3.8 did not address this 'mistake', and after a rather fruitless exchange I gave up trying to persuade the group (most people on mailing list), that reverting the change was rather critical (at least pierre supported reverting it in the 5.3.* series).

This new issue was causing some strange errors to pop up in his code because of a parameter type change in the is_a call, updating the first parameter to be an object instead of a class name. The is_a() call sends its requests to __autoload in some cases and the string->object mismatch of those parameters causes errors to be thrown. His workaround is, in your checking, just be sure to call an is_object first before passing things off to be is_a() checked and autoloaded.

PHPClasses.org has posted their latest "Lately in PHP" podcast today with mentions of PHP 5.3.8 and some of the wrong ideas that are common when referring to PHP (from their previous post).

Another PHP 5.3 version was released. Manuel Lemos and Ernani Joppert discuss whether you should upgrade to this new version of PHP, as well if you should try the new PHP 5.4 beta version. They also talk about the repercussion of the article about the Wrong PHP Ideas You Should Get Right and why it is important to clarify PHP haters and lovers about these PHP misconceptions.

You can either listen to this latest episode through the in-page player, by downloading the mp3 (25MB) or by subscribing to their feed and getting the latest right in your reader of choice (even iTunes).

On the Zend Developer Zone today they've announced this month's Zend Framework Bug Hunt starting tomorrow (the 25th) and running through Saturday (the 27th):

For those who haven't put the recurring event in their calendar, the Zend Framework Monthly Bug-hunt is here again! This Thursday, Friday and Saturday (the 25th, 26th and 27th of August), we'll be hosting our monthly bug hunt. For those of you unfamiliar with the event, each month, we organize the community to help reduce the number of open issues reported against the framework

Ralph reminds everyone of the change in tracking methods in their Jira setup and how to find some issues to tackle when you start your debugging. You can also just visit this page to get the full list of unresolved issues. Additional instructions are included in the post on "getting started" resources, how your fixes help the framework and a guide you can follow to get the ball rolling.

On PHP.net they've posted the official announcement about the release of PHP 5.3.8, an release following 5.3.7 to fix some issues with the crypt functionality.

The PHP development team would like to announce the immediate availability of PHP 5.3.8. This release fixes two issues introduced in the PHP 5.3.7 release: Fixed bug #55439 (crypt() returns only the salt for MD5), reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283). All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.8.

As always you can download this latest release from the downloads page (Windows binaries here). This upgrade is highly recommended if you were running 5.3.7.

In a new post to his blog Martin Psinas talks about some of his pains experienced with upgrading his code to use PDO instead of the mysql extension for database interaction.

I read not too long ago that the mysql library in PHP is being deprecated as of v6.0 in favor of mysqli or PDO, so of course I had to update all of my database code keep on top of things. I spent about 5 or 6 hours over the course of 2 days familiarizing myself with the new syntax and updating my code offline. Without any testing, I decided I could go ahead and push the code "live" because I'm just that over-confident sometimes, although I did make a backup in case anything went wrong (or so I thought).

Two problems jumped out immediately - a SQL error caused by this bug and the other being a problem with preparing his statement inside of a session handling method.

On the Zend Developer Zone, Matthew Weier O'Phinney has posted a notice about this month's Bug Hunt Days for the Zend Framework. This month they'll be held July 28th through the 30th.

For those who haven't put the recurring event in their calendar, the Zend Framework Monthly Bug-hunt is here again! This Thursday, Friday and Saturday (the 28th, 29th and 30th of July), we'll be hosting our monthly bug hunt. For those of you unfamiliar with the event, each month, we organize the community to help reduce the number of open issues reported against the framework.

He reminds those wanting to participate of a few pieces of information - that they'll need a CLA on file, where to find unresolved issues, getting help on the zftalk.dev IRC channel and a getting started guide for those first-timers.

On DZone.com's PHP on Windows section today Krzysztof Kotowicz has a new post talking about a file path injection exploit in PHP versions lower than 5.3.6.

Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future :)

The issue, described in more detail here on bugs.php.net (as of the time of this post, unfortunately unavailable) and his code to reproduce the issue is here. Due to a bug in the code that should strip down the upload to just the filename, certain kinds of file paths can make it through. The real problem comes in when an application blindly uses this filename to write to, possibly overwriting important files. You can see a screenshot of it in action here.