On 22nd July, The PHP Group announced the details of a serious vulnerability in PHP versions 4.2.0 and 4.2.1. A security update, PHP 4.2.2, fixes the issue. They encourage everyone who is running  running affected versions of PHP to upgrade immediately. The new 4.2.2 release doesn't include other changes, so upgrading from 4.2.1 is described as  safe and painless.

Additional note - added years later ... This page has become very popular with visitors just arriving at this site - we're delighted to see you if you're new here.  PHP has been through many releases since this conversation in 2002, and the particular vulnerabilities are long since dealt with.  However, there remains the need to be vigilant in what you write into your PHP code in order to prevent your scripts being used as spam engines, for injection attacks, or in order to compromise the data held on your server.   Here are some links that we update from time to time that you might find useful:

Security in PHP

Designing PHP solutions - best practise

and where to learn from us about these topics


And another release ....

4.2.3, on 6th September

This is a maintenance release - if you're running PHP on windows you're especially encouraged to upgrade, but there are not the security issues that
make an upgrade from 4.2.0 and 4.2.1 to 4.2.2 forcefully recommended!

Version 4.3.0 of PHP was released between Christmas
and the New Year (did you ever wonder what Geeks did
for Christmas?), and it's a good idea to upgrade to it
if you're running version of PHP 4.2.0, 4.2.1 or 4.2.2.
If you're currently running version 4.1.2 or a version
previous to that, note that upgrading to 4.3.0 may cause
your scripts to break, as from release 4.3.0 variables
are no longer automatically populated from form, cookie
and environment contents.  You can maintain compatability
through changing your php.ini file if you wish.

4.3.0 incorporates many internal improvements in PHP; for
the regular user, the "keynote" features include speed
improvements, command line interface improvements, a
bundled GD library for graphics, and a unified approach to
stream handling.


I keep hearing "will cause scripts to break" when new releases of PHP appear.

Is this not bad form?
I would expect things to be a bit more stable than this.

Its a great little language but they seem to make you work hard when upgrading.

jfp

You keep hearing the same "will cause scripts to break" comment ... it's just the one situation, but one that I really have to mention (as do others) every time there's a new release of PHP. There are a lot of people out there still running PHP 4.0.x who haven't been following / tracking releases as closely as you and I;
one day, they upgrade their system / get a new system onto which they install the current release of PHP and things fall over ... the warning is repeated for them.

All programming languages (and other pieces of software) need to develop over time in order to add in support for new technologies, and early design decisions may hamper such development. Occasionally - very occasionally - the right decision is to produce a new version that's not going to work "plug-and-play" with the older code so that the language can develop on rather than going stale because of ancient restrictions.

Personally, I think that the decision to remove the automatic provision of global variables for form elements by default at PHP 4.2 was a correct decision in the longer term for PHP, though I would have like to have seen it now called "PHP5" rather than PHP4.  It isn't hard if you are the server administrator to turn the facility back on if yuou have a lot of older scripts - mind you, if you are buying space from an ISP you'll have to modify your scripts.

---