[23525] in bugtraq
[Security] PHP 4.1.0 available
daemon@ATHENA.MIT.EDU (Zeev Suraski)
Mon Dec 17 14:40:45 2001
Message-Id: <5.1.0.14.2.20011216022441.04b037e0@localhost>
Date: Sun, 16 Dec 2001 02:40:46 +0200
To: bugtraq@securityfocus.com
From: Zeev Suraski <zeev@zend.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
This is a heads-up following Shaun Clowes' post to Bugtraq from July 3 this
year. The main concern Shaun raised in his post was the way PHP handled
form input. While not being insecure in itself, he claimed that PHP was
'encouraging' people to write insecure code, by making it all too easy. He
also pointed out that even though PHP offered a way to handle form input
differently, in a more secure way, by setting register_globals to Off, he
said that writing PHP scripts this way was the equivalent of Chinese water
torture :)
Some of the PHP core developers agreed with him, and we designed a new
input interface that encourages writing secure code. These new mechanisms
are available in the newly released PHP 4.1.0, and allow users to turn
register_globals to Off without losing sanity. The next semi-major version
of PHP will default to having register_globals to Off, so new users will
have to explicitly turn it on if they want to.
For the full release message, including a short overview of the new input
interface, please see http://www.php.net/release_4_1_0.php
PHP 4.1.0 is available at http://www.php.net/downloads.php
Zeev
--
Zeev Suraski <zeev@php.net>
PHP Group http://www.php.net/
