The PHP development team is proud to announce the first alpha release of the upcoming minor version update of PHP. Windows binaries will be available starting with alpha2 (intermediate snapshots available at snaps.php.net). The new version PHP 5.3 is expected to improve stability and performance as well as add new language syntax and extensions. Several new features have already been documented in the official documentation, others are listed on the wiki in preparation of getting documented. Please also review the NEWS file.THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!The purpose of this alpha release is to encourage users to not only actively participate in identifying bugs, but also in ensuring that all new features or necessary backwards compatibility breaks are noted in the documentation. Please report any findings to the QA mailinglist or the bug tracker.There have been a great number of other additions and improvements, but here is a short overview of the most important changes:Namespaces (documentation maybe out dated)Late static binding and __callStaticLambda functions and closuresAddition of the intl, phar (phar is scheduled for some more work a head of alpha2), fileinfo and sqlite3 extensionsOptional cyclic garbage collectionOptional support for the MySQLnd replacement driver for libmysqlWindows older than Windows 2000 (Windows 98, NT4, etc.) are not supported anymore (details)New syntax features like NOWDOC, limited GOTO, ternary short cut "?:"Several under the hood changes also require in depth testing with existing applications to ensure that any backwards compatibility breaks are minimized. This is especially important for users that require the undocumented Zend engine multibyte support.The current release plan states that there will be alpha/beta/RC releases in 2-3 week intervals with an expected stable release of PHP 5.3 between mid September and mid October of 2008.

A few weeks ago the manual was restructured to improve navigation and make room for per-extension chapters and usage examples along with improved documentation for object oriented extensions. The most noticable changes are the function reference, predefined variables, context options and parameters and predefined exceptions manual pages, for which we would really appreciate feedback on. The upcomming PHP5.3 release introduces several major features such as namespaces, closures, late static bindings, internationalization functions, INI sections, and Phar among others. We would really appreciate any and all help we can get improving the documentation. In related news, the manual was relicensed recently and is now covered by the CreativeCommons Attribution license.

The PHP team is once again proud to participate in the Google Summer of Code. Ten students will "flip bits instead of burgers" this summer: Zend LLVM Extension by Joonas Govenius, mentored by Nuno LopesPHP Optimizer by Samuel Graham Kelly IV, mentored by Derick RethansPhD (PHP Docbook) Project by Rudy Nappée, mentored by Hannes MagnussonReplace auto* with CMake by Alejandro Leiva Rojas, mentored by Pierre A. Joyegsoc:2008 - XDebug by Chung-Yang Lee, mentored by David CoallierRewrite the run-tests.php script by Cesar Montedonico, mentored by Travis SwicegoodPHP Bindings for Cairo by Akshat Gupta, mentored by Anant NarayananAlgorithm Optimizations by Michal Dziemianko, mentored by Scott MacVicarPECL, Website Improvements by Barry Carlyon, mentored by Helgi Þormar ÞorbjörnssonImplement Unicode into PHP 6 by Henrique do Nascimento Angelo, mentored by Scott MacVicarUpdate (May 11th): Unfortunately Nicholas Sloan had to drop out of the program, but he will be replaced by Rudy Nappée working on the same application.

The PHP development team would like to announce the immediate availability of PHP 4.4.8. It continues to improve the security and the stability of the 4.4 branch and all users are strongly encouraged to upgrade to it as soon as possible. This release wraps up all the outstanding patches for the PHP 4.4 series, and is therefore the last normal PHP 4.4 release. If necessary, releases to address security issues could be made until 2008-08-08. Security Enhancements and Fixes in PHP 4.4.8:Improved fix for MOPB-02-2007.Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.Fixed integer overlow in str[c]spn().Fixed regression in glob when open_basedir is on introduced by #41655 fix.Fixed money_format() not to accept multiple %i or %n tokens.Added "max_input_nesting_level" php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.Fixed INFILE LOCAL option handling with MySQL - now not allowed when open_basedir or safe_mode is active.Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378). For a full list of changes in PHP 4.4.8, see the ChangeLog.

Once again we are glad to announce that we have been accepted to be a Google Summer of Code project. See our program for this year's GSoC.We would like to take this opportunity to say thanks to Google Inc. for this privilege to participate once again, and would like to invite everyone to look at our list of ideas: http://wiki.php.net/gsoc/2008. Students are of course more than welcome to come up with their own ideas for their proposals and we will consider each and every application that we will receive.So once again, thanks to everyone who is involved in this magnificent journey and we hope to see many of you great students and open source passionate join us in our most enjoyable Google Summer of Code projects.

The PHP development team would like to announce the immediate availability of PHP 5.2.5. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.5 release can be found in the release announcement for 5.2.5, the full list of changes is available in the ChangeLog for PHP 5.Security Enhancements and Fixes in PHP 5.2.5:Fixed dl() to only accept filenames. Reported by Laurent Gaffie.Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus LerdorfFixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.5.

The PHP development team would like to announce the immediate availability of PHP 5.2.4. This release focuses on improving the stability of the PHP 5.2.X branch with over 120 various bug fixes in addition to resolving several low priority security bugs. All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.4 release can be found in the release announcement for 5.2.4, the full list of changes is available in the ChangeLog for PHP 5. Security Enhancements and Fixes in PHP 5.2.4:Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson)Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson)Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)Improved fix for MOPB-03-2007.Corrected fix for CVE-2007-2872. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.4.

The PHP documentation team is proud to present to the PHP community a few fixes and tweaks to the PHP Manual, including:an improved, XSL-based build system that will deliver compiled manuals to mirrors in a more timely manner (goodbye dsssl)manual pages can now contain images (see imagearc() for an example)updated function version information and capture system (fewer "no version information, might be only in CVS" messages)... and more to come!Please help us improve the documentation by submitting bug reports, and adding notes to undocumented functions.

The PHP development team would like to announce the immediate availability of PHP 5.2.1 and availability of PHP 4.4.5. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.1 release can be found in the release announcement for 5.2.1, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.5 release can be found in the release announcement for 4.4.5, the full list of changes is available in the ChangeLog for PHP 4. Security Enhancements and Fixes in PHP 5.2.1 and PHP 4.4.5:Fixed possible safe_mode & open_basedir bypasses inside the session extension.Fixed unserialize() abuse on 64 bit systems with certain input strings.Fixed possible overflows and stack corruptions in the session extension.Fixed an underflow inside the internal sapi_header_op() function.Fixed non-validated resource destruction inside the shmop extension.Fixed a possible overflow in the str_replace() function.Fixed possible clobbering of super-globals in several code paths.Fixed a possible information disclosure inside the wddx extension.Fixed a possible string format vulnerability in *print() functions on 64 bit systems.Fixed a possible buffer overflow inside ibase_{delete,add,modify}_user() functions.Fixed a string format vulnerability inside the odbc_result_all() function.Security Enhancements and Fixes in PHP 5.2.1 only:Prevent search engines from indexing the phpinfo() page.Fixed a number of input processing bugs inside the filter extension.Fixed allocation bugs caused by attempts to allocate negative values in some code paths.Fixed possible stack/buffer overflows inside zip, imap & sqlite extensions.Fixed several possible buffer overflows inside the stream filters.Memory limit is now enabled by default.Added internal heap protection.Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.Security Enhancements and Fixes in PHP 4.4.5 only:Fixed possible overflows inside zip & imap extensions.Fixed a possible buffer overflow inside mail() function on Windows.Unbundled the ovrimos extension. The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to the 5.2.1 or 4.4.5 releases as soon as possible. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.1. Update: Feb 14th; Added release information for PHP 4.4.5.Update: Feb 12th; The Windows install package had problems with upgrading from previous PHP versions. That has now been fixed and new file posted in the download section.

The PHP team is once again proud to participate in the Google Summer of Code. Seven students will "flip bits instead of burgers" this summer: Mentored by Michael Wallner, Hannes Magnusson will work on LiveDocs, which is a "tool to display DocBook XML files in a web browser on the fly, without the need of building all HTML target files first". This project will be of great value to the PHP Documentation Team. The PHP Interpreter uses reference counting to keep track of which objects are no longer referenced and thus can be destroyed. A major weakness in the current implementation is that it cannot detect reference cycles, that is objects that reference each other in a circular graph structure which is not referenced itself from outside the circle. Mentored by Derick Rethans, David Wang will implement a new reference counting algorithm that will alleviate this problem. Xdebug provides a range of useful functionality for PHP developers, including detailed error information, code coverage and profiling support, and support for remote debugging using the GDB and DBGp protocols. Mentored by Xdebug's creator, Derick Rethans, Adam Harvey will develop a cross-platform GUI application that implements the DBGp protocol and allows PHP applications to be debugged using Xdebug in a development environment agnostic fashion. Mentored by Lukas Smith, Konsta Vesterinen will work on the object-relational mapper Doctrine. Mutation Testing, or Automated Error Seeding, is an approach where the testing tool makes some change to the tested code, runs the tests, and if the tests pass displays a message saying what it changed. This approach is different than code coverage analysis, because it can find code that is executed by the running of tests but not actually tested. Mentored by Sebastian Bergmann, Mike Lewis will implement Mutation Testing for PHPUnit. Mentored by Helgi Þormar Þorbjörnsson, Igor Feghali will add support for foreign keys to MDB2_Schema, a package that "enables users to maintain RDBMS independant schema files in XML that can be used to create, alter and drop database entities and insert data into a database". Mentored by David Coallier, Nicolas Bérard-Nault will refactor the internals of Jaws, a Framework and Content Management System for building dynamic web sites, for PHP 6.