This is a heads-up following Shaun Clowes' post to Bugtraq from July 3 this year. The main concern Shaun raised in his post was the way PHP handled form input. While not being insecure in itself, he claimed that PHP was 'encouraging' people to write insecure code, by making it all too easy. He also pointed out that even though PHP offered a way to handle form input differently, in a more secure way, by setting register_globals to Off, he said that writing PHP scripts this way was the equivalent of Chinese water torture :) Some of the PHP core developers agreed with him, and we designed a new input interface that encourages writing secure code. These new mechanisms are available in the newly released PHP 4.1.0, and allow users to turn register_globals to Off without losing sanity. The next semi-major version of PHP will default to having register_globals to Off, so new users will have to explicitly turn it on if they want to. For the full release message, including a short overview of the new input interface, please see http://www.php.net/release_4_1_0.php PHP 4.1.0 is available at http://www.php.net/downloads.php Zeev -- Zeev Suraski <zeev@php.net> PHP Group http://www.php.net/
