The PHP development team has released the latest version in the PHP 5.2.x series today - version 5.2.6:

This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related.All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.6 release can be found in the release announcement for 5.2.6, the full list of changes is available in the ChangeLog for PHP 5.

Security updates include prevention of a buffer overflow in FastCGI mode, an integer overflow in printf, correction for a safe_mode bypass method in cURL and the bundling of PCRE 7.6 to update the regular expression functionality of the language.

You can grab this latest release from the downloads page on PHP.net (or your favorite mirror) - both the source and the Windows binaries.

The Zend Developer Zone has posted the latest episode from their ZendCon Sessions podcast series today. This time, it's from Chris Shiflett's talk, "Security 2.0".

Welcome to The ZendCon Sessions. This episode of The ZendCon Sessions was recorded live at ZendCon 2007 in Burlingame, CA. We hope you enjoy today's session as we listen to Chris Shiflett present "Security 2.0".

The usual three ways to get your Sessions fix are all there - you can use the in-page player, download it directly or subscribe to the feed.

On PHPBuilder.com, there's a new tutorial about validating user sessions - ensuring that data in your user's sessions is valid and isn't an attack trying to sneak in.

In a nutshell, sessions are the way that we "maintain state" from one page to the next, that is, how we identify specific users across multiple page requests. The ability to track users as they go from one page to the next using sessions allows us a number of options, such as tracking where they are going (web statistics) or to verify credentials for a specific section of the site.

First, there's a little mini-intro to sessions for those unsure on their use. It's followed by a look at some session vulnerabilities that could be introduces by malicious users looking to break things on your site (including HTML/Javascript injection, as their example shows).

They recommend a three step plan to get started with the validation of your user's sessions - making it easy for users to log out when they want to, use unique aspects of the remote machine to define the session and to validate all user input, especially things that will be put into a session variable.

Ed Finkler, not normally a big fan of the WordPress PHP-based blogging system, has pointed out some positive steps that were made in the latest release in the security arena.

Anyone who gets me liquored up knows that I'm not a fan of Wordpress. I think it's great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don't believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption.

He mentions two things in particular - their addition of salted passwords and secure cookies.

The WebReference.com website has an introductory tutorial showing the budding PHP develper how to get started with one of the keys to web application interaction - forms.

Forms are how your users talk to your scripts. To get the most out of PHP, you must master forms. The first thing you need to understand is that although PHP makes it easy to access form data, you must be careful of how you work with the data.

The first part of the tutorial is focused on something many applications don't worry about - the security and integrity of the data submitted to them. They talk about things like filtering and various other checks to ensure that the data you're getting is good. They also mention the method for putting submitted values into PHP arrays, checking for valid values, using multiple submit buttons and an example of some of these methods all put together - validating a credit card number.

As Ed Finkler points out there's a new article posted (written by him) on the C7Y site (from php|architect) talking about his Inspekt library - an introduction to the filtering library showing how to help make your applications safer.

Inspekt is a library for PHP4 and PHP5 that aims to make safe input handing easier, and unsafe actions more difficult. Inspekt establishes a new development approach by wrapping input within "cage" objects, and requiring the developer to use validation and filtering methods to test and manipulate the input data. This article provides a brief introduction to Inspekt and its capabilities.

The article covers all of the basics - what the library can do for you, how it integrates into your application and how it helps to protect you from potential problems with the data in your superglobals ($_GET, $_POST, $_REQUEST, etc).

As the ThinkPHP blog points out today, Stefan Esser has been named one of the "15 Most Influential People in Security Today" by eWeek.

If there's a security hole in PHP, chances are it was found by Stefan Esser, an open-source security specialist. Esser's advisories about flaws in Linux, NetBSD, Samba, Ethereal, CVS, Subversion, MySQL and PHP are legendary. [...] His "Month of PHP Bugs" project thoroughly exposed the insecure nature of the widely deployed PHP language and forced a rethink about security in the open-source world.

Check out the slideshow for other people in the list including Michal Zalewski of Google and Ivan Krstic of the "One Laptop Per Child" project.

The Slackware linux development group has released a new package for PHP4-using users of their distribution today:

New php-4.4.8 packages are available for Slackware 10.2 and 11.0 to fix security issues. More details about the issues may be found here: http://bugs.php.net/43010.

You can download it from their FTP sites, two versions for each of the most recent distributions: Slackware 10.2 and Slackware 11.0

The Developer Tutorials blog has posted their "winner" of a list of things to do to keep you and your website secure:

When it comes to PHP security, you often think of input filtering, SQL injection prevention, XSS in user submitted content and so on. Well, forget about that. They're all pretty trivial compared to what I feel is by far the most important security issue of any web application. Read on to find out why.

Their number one thing to do to keep safe and secure? "Keep your systems updated." They point out that security a web site is one thing but securing the system that it runs on/has been developed on is another (and improperly patched, it could cause some huge problems).

Now, the best way to keep on top of potential vulnerabilities in your underlying systems is with updates. Sometimes, however, you need to go a little further. [...] Watching the web is also a good idea; major security vulnerabilities generally make it to the front page of Digg.

In a new article on DevShed, the spotlight is on putting Apache "in jail" with chroot, but they also include a section on setting up PHP to work inside it.

In this conclusion to a six-part series on Apache configuration and installation, you will learn how to use chroot to put Apache in jail, how to prepare PHP to work in jail, and more.

The article is an excerpt from the O'Reilly book "Apache Security" and shows how to get PHP to cooperate by installing it normally and then setting up some shared libraries to be used in the jail. They note one common problem - an issue with PHP accessing sendmail - that can be solved easily with a change to php.ini for the setup.