[Security] PHP 4.1.0 available

[Zeev Suraski <zeev () zend com>]

This is a heads-up following Shaun Clowes' post to Bugtraq from July 3 this 
year.  The main concern Shaun raised in his post was the way PHP handled 
form input.  While not being insecure in itself, he claimed that PHP was 
'encouraging' people to write insecure code, by making it all too easy.  He 
also pointed out that even though PHP offered a way to handle form input 
differently, in a more secure way, by setting register_globals to Off, he 
said that writing PHP scripts this way was the equivalent of Chinese water 
torture :)

Some of the PHP core developers agreed with him, and we designed a new 
input interface that encourages writing secure code.  These new mechanisms 
are available in the newly released PHP 4.1.0, and allow users to turn 
register_globals to Off without losing sanity.  The next semi-major version 
of PHP will default to having register_globals to Off, so new users will 
have to explicitly turn it on if they want to.

For the full release message, including a short overview of the new input 
interface, please see http://www.php.net/release_4_1_0.php
PHP 4.1.0 is available at http://www.php.net/downloads.php

Zeev

--
Zeev Suraski <zeev () php net>
PHP Group    http://www.php.net/