After a lengthy QA process, PHP 4.1.0 is finally out.  Download at !

PHP 4.1.0 includes several other key improvements:
- A new input interface for improved security (read below)
- Highly improved performance in general
- Revolutionary performance and stability improvements under Windows.  The 
multithreaded server modules under Windows (ISAPI, Apache, etc.) perform as 
much as 30 times faster under load!  We want to thank Brett Brewer and his 
team in Microsoft for working with us to improve PHP for Windows.
- Versioning support for extensions.  Right now it's barely being used, but 
the infrastructure was put in place to support separate version numbers for 
different extensions.  The negative side effect is that loading extensions 
that were built against old versions of PHP will now result in a crash, 
instead of in a nice clear message.  Make sure you only use extensions 
built with PHP 4.1.0.
- Turn-key output compression support
- *LOTS* of fixes and new functions

As some of you may notice, this version is quite historical, as it's the 
first time in history we actually incremented the middle digit!  :) The two 
key reasons for this unprecedented change were the new input interface, and 
the broken binary compatibility of modules due to the versioning support.

Following is a description of the new input mechanism.  For a full list of 
changes in PHP 4.1.0, scroll down to the end of this section.



First and foremost, it's important to stress that regardless of anything 
you may read in the following lines, PHP 4.1.0 *supports* the old input 
mechanisms from older versions.  Old applications should go on working fine 
without modification!

Now that we have that behind us, let's move on :)

For various reasons, PHP setups which rely on register_globals being on 
(i.e., on form, server and environment variables becoming a part of the 
global namespace, automatically) are very often exploitable to various 
degrees.  For example, the piece of code:

if (authenticate_user()) {
   $authenticated = true;

May be exploitable, as remote users can simply pass on 'authenticated' as a 
form variable, and then even if authenticate_user() returns false, 
$authenticated will actually be set to true.  While this looks like a 
simple example, in reality, quite a few PHP applications ended up being 
exploitable by things related to this misfeature.

While it is quite possible to write secure code in PHP, we felt that the 
fact that PHP makes it too easy to write insecure code was bad, and we've 
decided to attempt a far-reaching change, and deprecate 
register_globals.  Obviously, because the vast majority of the PHP code in 
the world relies on the existence of this feature, we have no plans to 
actually remove it from PHP anytime in the foreseeable future, but we've 
decided to encourage people to shut it off whenever possible.

To help users build PHP applications with register_globals being off, we've 
added several new special variables that can be used instead of the old 
global variables.  There are 7 new special arrays:

$_GET - contains form variables sent through GET
$_POST - contains form variables sent through POST
$_COOKIE - contains HTTP cookie variables
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
$_ENV - contains the environment variables
$_REQUEST - a merge of the GET variables, POST variables and Cookie 
variables.  In other words - all the information that is coming from the 
user, and that from a security point of view, cannot be trusted.
$_SESSION - contains HTTP variables registered by the session module

Now, other than the fact that these variables contain this special 
information, they're also special in another way - they're automatically 
global in any scope.  This means that you can access them anywhere, without 
having to 'global' them first.  For example:

function example1()
        print $_GET["name"];   // works, 'global $_GET;' is not necessary!

would work fine!  We hope that this fact would ease the pain in migrating 
old code to new code a bit, and we're confident it's going to make writing 
new code easier.  Another neat trick is that creating new entries in the 
$_SESSION array will automatically register them as session variables, as 
if you called session_register().  This trick is limited to the session 
module only - for example, setting new entries in $_ENV will *not* perform 
an implicit putenv().

PHP 4.1.0 still defaults to have register_globals set to on.  It's a 
transitional version, and we encourage application authors, especially 
public ones which are used by a wide audience, to change their applications 
to work in an environment where register_globals is set to off.  Of course, 
they should take advantage of the new features supplied in PHP 4.1.0 that 
make this transition much easier.

As of the next semi-major version of PHP, new installations of PHP will 
default to having register_globals set to off.  No worries!  Existing 
installations, which already have a php.ini file that has register_globals 
set to on, will not be affected.  Only when you install PHP on a brand new 
machine (typically, if you're a brand new user), will this affect you, and 
then too - you can turn it on if you choose to.

Note:  Some of these arrays had old names, e.g. $HTTP_GET_VARS.  These 
names still work, but we encourage users to switch to the new shorter, and 
auto-global versions.

Thanks go to Shaun Clowes ([EMAIL PROTECTED]) for pointing out 
this problem and for analyzing it.



10 Dec 2001, Version 4.1.0
- Worked around a bug in the MySQL client library that could cause PHP to hang
   when using unbuffered queries. (Zeev)
- Fixed a bug which caused set_time_limit() to affect all subsequent requests
   to running Apache child process. (Zeev)
- Removed the sablotron extension in favor of the new XSLT extension.
- Fixed a bug in WDDX deserialization that would sometimes corrupt the root
   element if it was a scalar one. (Andrei)
- Make ImageColorAt() and ImageColorsForIndex() work with TrueColor images.
- Fixed a bug in preg_match_all() that would return results under improper
   indices in certain cases. (Andrei)
- Fixed a crash in str_replace() that would happen if search parameter was an
   array and one of the replacements resulted in subject string being empty.
- Fixed MySQL extension to work with MySQL 4.0. (Jani)
- Fixed a crash bug within Cobalt systems. Patch by [EMAIL PROTECTED] (Jani)
- Bundled Dan Libby's xmlrpc-epi extension.
- Introduced extension version numbers. (Stig)
- Added version_compare() function. (Stig)
- Fixed pg_last_notice() (could cause random crashes in PostgreSQL
   applications, even if they didn't use pg_last_notice()). (Zeev)
- Fixed DOM-XML's error reporting, so E_WARNING errors are given instead of
   E_ERROR error's, this allows you to trap errors thrown by DOMXML functions.
- Fixed a bug in the mcrypt extension, where list destructors were not
   properly being allocated. (Sterling)
- Better Interbase blob, null and error handling. (Patch by Jeremy Bettis)
- Fixed a crash bug in array_map() if the input arrays had string or
   non-sequential keys. Also modified it so that if a single array is passed,
   its keys are preserved in the resulting array. (Andrei)
- Fixed a crash in dbase_replace_record. (Patch by [EMAIL PROTECTED])
- Fixed a crash in msql_result(). (Zeev)
- Added support for single dimensional SafeArrays and Enumerations.
   Added an is_enum() function to check if a component implements an
   enumeration. (Alan, Harald)
- Fixed a bug in dbase_get_record() and dbase_get_record_with_names().
   boolean fields are now returned correctly.
   Patch by Lawrence E. Widman <[EMAIL PROTECTED]> (Jani)
- Added --version option to php-config. (Stig)
- Improved support for thttpd-2.21b by incorporating patches for all known
   bugs. (Sascha)
- Added ircg_get_username, a roomkey argument to ircg_join, error fetching
   infrastructure, a tokenizer to speed up message processing, and fixed
   a lot of bugs in the IRCG extension. (Sascha)
- Improved speed of the serializer/deserializer. (Thies, Sascha)
- Floating point numbers are better detected when converting from strings.
   (Zeev, Zend Engine)
- Replaced php.ini-optimized with php.ini-recommended.  As the name implies,
   it's warmly recommended to use this file as the basis for your PHP
   configuration, rather than php.ini-dist.  (Zeev)
- Restore xpath_eval() and php_xpathptr_eval() for 4.0.7. There
   are still some known leaks. (Joey)
- Added import_request_variables(), to allow users to safely import form
   variables to the global scope (Zeev)
- Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE
   variables.  Like the other new variables, this variable is also available
   regardless of the context.  (Andi & Zeev)
- Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which
   deprecate the old $HTTP_*_VARS arrays.  In addition to be much shorter to
   type - these variables are also available regardless of the scope, and
   there's no need to import them using the 'global' statement.  (Andi & Zeev)
- Added vprintf() and vsprintf() functions that allow passing all arguments
   after format as an array. (Andrei)
- Added support for GD2 image type for ImageCreateFromString() (Jani)
- Added ImageCreateFromGD(), ImageCreateFromGD2(), ImageCreateFromGD2part(),
   ImageGD() and ImageGD2() functions (Jani)
- addcslashes now warns when charlist is invalid. The returned string
   remained the same (Jeroen)
- Added optional extra argument to gmp_init(). The extra argument
   indicates which number base gmp should use when converting a
   string to the gmp-number. (Troels)
- Added the Cyrus-IMAP extension, which allows a direct interface to Cyrus'
   more advanced capabilities. (Sterling)
- Enhance read_exif_data() to support multiple comment tags (Rasmus)
- Fixed a crash bug in array_map() when NULL callback was passed in. (Andrei)
- Change from E_ERROR to E_WARNING in the exif extension (Rasmus)
- New pow() implementation, which returns an integer when possible,
   and warnings on wrong input (jeroen)
- Added optional second parameter to trim, chop and ltrim. You can
   now specify which characters to trim (jeroen)
- Hugely improved the performance of the thread-safe version of PHP, especially
   under Windows (Andi & Zeev)
- Improved request-shutdown performance significantly (Andi & Zeev, Zend
- Added a few new math functions. (Jesus)
- Bump bundled expat to 1.95.2 (Thies)
- Improved the stability of OCIPlogon() after a database restart. (Thies)
- Fixed __FILE__ in the CGI & Java servlet modes when used in the main script.
   It only worked correctly in included files before this fix (Andi)
- Improved the Zend hash table implementation to be much faster (Andi, Zend
- Updated PHP's file open function (used by include()) to check in the calling
   script's directory in case the file can't be found in the include_path 
- Fixed a corruption bug that could cause constants to become corrupted, and
   possibly prevent resources from properly being cleaned up at the end of
   a request (Zeev)
- Added optional use of Boyer-Moore algorithm to str_replace() (Sascha)
- Fixed and improved shared-memory session storage module (Sascha)
- Add config option (always_populate_raw_post_data) which when enabled
   will always populate $HTTP_RAW_POST_DATA regardless of the post mime
   type (Rasmus)
- Added support for socket and popen file types to ftp_fput (Jason)
- Fixed various memory leaks in the LDAP extension (Stig Venaas)
- Improved interactive mode - it is now available in all builds of PHP, without
   any significant slowdown (Zeev, Zend Engine)
- Fixed crash in iptcparse() if the supplied data was bogus. (Thies)
- Fixed return value for a failed snmpset() - now returns false  (Rasmus)
- Added hostname:port support to snmp functions ([EMAIL PROTECTED], Rasmus)
- Added fdf_set_encoding() function (Masaki YATSU, Rasmus)
- Reversed the destruction-order of resources.  This fixes the reported OCI8
   "failed to rollback outstanding transactions!" message (Thies, Zend Engine)
- Added option for returning XMLRPC fault packets. (Matt Allen, Sascha
- Improved range() function to support range('a','z') and range(9,0) types of
   ranges. (Rasmus)
- Added getmygid() and safe_mode_gid ini directive to allow safe mode to do
   a gid check instead of a uid check. (James E. Flemer, Rasmus)
- Made assert() accept the array(&$obj, 'methodname') syntax. (Thies)
- Made sure that OCI8 outbound variables are always zero-terminated. (Thies)
- Fixed a bug that allowed users to spawn processes while using the 5th
   parameter to mail(). (Derick)
- Added nl_langinfo() (when OS provides it) that returns locale.
- Fixed a major memory corruption bug in the thread safe version. (Zeev)
- Fixed a crash when using the CURLOPT_WRITEHEADER option. (Sterling)
- Added optional suffix removal parameter to basename(). (Hartmut)
- Added new parameter UDM_PARAM_VARDIR ha in Udm_Set_Agent_Param() function to
   support alternative search data directory.  This requires mnogoSearch 3.1.13
   or later.
- Fixed references in sessions. This doesn't work when using the WDDX
   session-serializer. Also improved speed of sessions. (Thies)
- Added new experimental module pcntl (Process Control). (Jason)
- Fixed a bug when com.allow_dcom is set to false. (phanto)
- Added a further parameter to the constructor to load typelibs from file when
   instantiating components (e.g. DCOM Components without local registration).
- Added the possibility to specify typelibs by full name in the typelib file
   (Alan Brown)
- Renamed the ZZiplib extension to the Zip extension, function names have also
   changed accordingly, functionality, has stayed constant. (Sterling)
- Made the length argument (argument 2) to pg_loread() optional, if not
   specified data will be read in 1kb chunks. (Sterling)
- Added a third argument to pg_lowrite() which is the length of the data to
   write. (Sterling)
   constants. (Zak)
- Assigning to a string offset beyond the end of the string now automatically
   increases the string length by padding it with spaces, and performs the
   assignment. (Zeev, Zend Engine)
- Added warnings in case an uninitialized string offset is read. (Zeev, Zend
- Fixed a couple of overflow bugs in case of very large negative integer
   numbers. (Zeev, Zend Engine)
- Fixed a crash bug in the string-offsets implementation (Zeev, Zend Engine)
- Improved the implementation of parent::method_name() for classes which use
   run-time inheritance. (Zeev, Zend Engine)
- Added 'W' flag to date() function to return week number of year using ISO
   8601 standard. (Colin)
- Made the PostgreSQL driver do internal row counting when iterating through
   result sets. ([EMAIL PROTECTED])
- Updated ext/mysql/libmysql to version 3.23.39; Portability fixes, minor
   bug fixes. ([EMAIL PROTECTED])
- Added get_defined_constants() function to return an associative array of
   constants mapped to their values. (Sean)
- New mailparse extension for parsing and manipulating MIME mail. (Wez)
- Define HAVE_CONFIG_H when building standalone DSO extensions. (Stig)
- Added the 'u' modifier to printf/sprintf which prints unsigned longs.
- Improved IRIX compatibility. (Sascha)
- Fixed crash bug in bzopen() when specifying an invalid file. (Andi)
- Fixed bugs in the mcrypt extension that caused crashes. (Derick)
- Added the IMG_ARC_ROUNDED option for the ImageFilledArc() function, which
   specified that the drawn curve should be rounded. (Sterling)
- Updated the sockets extension to use resources instead of longs for the
   socket descriptors.  The socket functions have been renamed to conform with
   the PHP standard instead of their C counterparts.  The sockets extension is
   now usable under Win32. (Daniel)
- Added disk_total_space() to return the total size of a filesystem.
   (Patch from Steven Bower)
- Renamed diskfreespace() to disk_free_space() to conform to established
   naming conventions. (Jon)
- Fixed #2181. Now zero is returned instead of an unset value for
   7-bit encoding and plain text body type. (Vlad)
- Fixed a bug in call_user_*() functions that would not allow calling
   functions/methods that accepted parameters by reference. (Andrei)
- Added com_release($obj) and com_addref($obj) functions and the related class
   members $obj->Release() and $obj->AddRef() to gain more control over the 
   COM components. (phanto)
- Added an additional parameter to dotnet_load to specify the codepage (phanto)
- Added peak memory logging. Use --enable-memory-limit to create a new Apache
   1.x logging directive "{mod_php_memory_usage}n" which will log the peak
   amount of memory used by the script. (Thies)
- Made fstat() and stat() provide identical output by returning a numerical and
   string indexed array. (Jason)
- Fixed memory leak upon re-registering constants. (Sascha, Zend Engine)



PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to