One of the things that's been hanging around PHP's neck since its early days is the magic_quotes setting that was introduces to try to make things easier. In this interesting post Arpad Ray takes a look at this setting and why its a bad thing for PHP to have around.

Like register_globals, it helped lower the barrier of entry to building a dynamic website by removing some of the complexity. However it certainly wasn't without sacrifice, problems with the implementation quickly appeared and continued to abound for the next ten years. Finally in PHP 5.2.2 we got an implementation which (as far as its intentions went) seemed to be bug free, but of course by then it was turned off by default and was already slated to be dropped in PHP 6.

He looks at a few reasons they're bad (not good enough for escaping, inconsistent, performance issues) and some methods - code snippets - on how to deal with it being turned on on your server.

NOTE: This release has been recalled due to a security bug found involving magic_quotes_gpc.

The latest version in the PHP 5.2.x series has been released today - PHP 5.2.7:

The PHP development team would like to announce the immediate availability of PHP 5.2.7. This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

These security updates include an update of the PCRE version, fixing an incorrect order with php_value, correcting a possible overflow in memnstr and more. Check out the full Changelog for more information on these updates and improvements. You can download this latest update from the PHP.net website (or your favorite mirror).

Michelangelo van Dam has posted his summary of the recent BugHuntDay that happened in Roosendaal (the Netherlands) this past weekend:

Bughuntday is a whole day developers can come together to start fixing bugs for open-source frameworks and libraries. This Saturday we started these series with Zend Framework, a hugely adopted PHP framework within enterprise and professional web application development.

He also includes the slides from the presentation and a video of Jurien Stutterheim's talk introducing everyone to testing and the Zend Framework. There's pictures of the event on Flickr too.

Check here for an updated video from the event.

As Ivo Jansch pointed out yesterday it's a month until the fateful day that PHP4 will officially die:

It's July the 8th. Today I realized that we're exactly one month away from 8-8-8, the final blow to PHP4.

August 8th marks the point when nothing (at all) will be done to any version of PHP4 again. Full support ended back in December of 2007 with no new versions being released. 8-8-08 marks the end of that as well and PHP4 developers that discover bugs may not be able to get them fixed.

Ivo sums it it perfectly:

I'm not trying to scare you. No wait, I am. Don't let 8-8-8 become the PHP community's 6-6-6 and abandon PHP4 while you still can.

The CodeIgniter framework has made a new release today, 1.6.3, containing updates to fix a few bugs and address some security concerns.

We are happy to release CodeIgniter version 1.6.3 today. Version 1.6.3 is primarily a maintenance release, with a variety of bug fixes and some refinement to existing features (with a few new ones tossed in for good measure). Details of course can be found in the Change Log.

The release also fixes a potential cross-site scripting issue that, while it hasn't been reported as used yet, could still have some bad consequences if found and abused. You can grab this latest version from the CodeIgniter downloads page.

Matthew Turland is looking to "save you some grief" by pointing out an issue he recently had trouble with and eventually found out was a bug in PHP.

It's pretty rare that I encounter a bug in the software I run that hampers my ability to work or my server environment's ability to function normally. However, I encountered one last week that has taken me and several Rackspace support technicians nearly a week to figure out, namely PHP bug #43677.

The issue was that PHP seemed to be "forgetting" the include_path in the current script (not Apache). The bug has been found in PHP 5.2.5 (and possible in all of the 5.2.x releases as well). The problem has been fixed in the latest CVS version and a patch has been created for those that want to correct the problem right away.

Demian Turner has posted about the latest version of the Seagull framework (0.6.3) and an update to correct a remote file disclosure issue (up to version 0.6.4).

Well it took a bit of time but after quite a few months a new release of Seagull is finally out, 0.6.3 (0.6.4). Things have been keeping pretty busy with the startup I'm working on, but it's been a great opportunity to refine some features of the framework and optimize the performance. The early indications are good, after less than 10 weeks of going live Kindo users are creating up to 20k profiles/day and the server load is staying comfortably below 0.5.

The update is a different download that helps correct an issue with the framework allowing user-inputted values from the GET string. Be sure and update your version to keep this security issue under wraps.

Dave Dash has posted about a method he developed, using a custom prepend file, to correctly obtain the PATH_INFO information for his server.

symfony and other applications rely on the server's PATH_INFO being set properly. Unfortunately, I use a nonstandard server that doesn't natively support CGI [...] but I can't figure out how to do a urldecode in my configuration.

To get around the issue, he created a file he prepended to each request (via auto_prepend_file) that took the value and urldecoded it to put it in another $_SERVER value.

Alexey Zakhlestin has released the latest version of his Syck tool - a "parser and emitter" of YAML documents.

I've just released syck for php 0.9.2 (a parser and emitter of YAML documents. If you don't know anything about YAML and why it is good: check my previous posts on the subject). A lot of new and tasty features.

Updates he mentions include:

• stability and consistency fixes
• enhancements with object-serialization and unserialization
• loading of objects more class names

David Coallier continuing his look at the upcoming namespace support in PHP, has posted some a bit more negative than some of his previous posts - this time it's about what namespaces don't fix.

Anyways, after posting a few articles about namespaces and now that the patch has been ported to the php 5.3 branch, people are actually starting to use it. The side effects of people (without too much knowledge or thinking about the implementation of namespaces) is that they are actually realizing that namespaces are not the promised land.

To illustrate his point, David gives something that namespaces just won't fix - long class names. It doesn't matter if you're using them in the Project_Package_Class or (with namespaces) Project::Package::Class format, you're still stuck with the long names. Keep an eye out for more similar articles from David to demystify other incorrect namespace impressions.