NAVIGATION -  HOME |  | |
| PHP 4.1.0 released | | Published by: webmaster 2009-01-07 |
Raptor Services - EZ Autos 4.1.0 beta released!!::
The new EZ Autos 4.1.0 has been released publicly today, Change from AJAX chained selectors to PHP/javascript chained selectors in the members add/edit
http://www.raptorservices.com.au/index.php?option=com_content&task=view&id=71&Itemid=162HOME |
After a lengthy QA process, PHP 4.1.0 is finally out. Download at
http://www.php.net/downloads.php !
PHP 4.1.0 includes several other key improvements:
- A new input interface for improved security (read below)
- Highly improved performance in general
- Revolutionary performance and stability improvements under Windows. The
multithreaded server modules under Windows (ISAPI, Apache, etc.) perform as
much as 30 times faster under load! We want to thank Brett Brewer and his
team in Microsoft for working with us to improve PHP for Windows.
- Versioning support for extensions. Right now it's barely being used, but
the infrastructure was put in place to support separate version numbers for
different extensions. The negative side effect is that loading extensions
that were built against old versions of PHP will now result in a crash,
instead of in a nice clear message. Make sure you only use extensions
built with PHP 4.1.0.
- Turn-key output compression support
- *LOTS* of fixes and new functions
As some of you may notice, this version is quite historical, as it's the
first time in history we actually incremented the middle digit! :) The two
key reasons for this unprecedented change were the new input interface, and
the broken binary compatibility of modules due to the versioning support.
Following is a description of the new input mechanism. For a full list of
changes in PHP 4.1.0, scroll down to the end of this section.
-----------------------------------
SECURITY: NEW INPUT MECHANISM
First and foremost, it's important to stress that regardless of anything
you may read in the following lines, PHP 4.1.0 *supports* the old input
mechanisms from older versions. Old applications should go on working fine
without modification!
Now that we have that behind us, let's move on :)
For various reasons, PHP setups which rely on register_globals being on
(i.e., on form, server and environment variables becoming a part of the
global namespace, automatically) are very often exploitable to various
degrees. For example, the piece of code:
PHPNews - Downloads Page::
PHPNews version 1.3.0 has been released! You can download the selected file below. PHPNews requires at least PHP 4.1.0 and a mysql database.
http://newsphp.sourceforge.net/downloads.phpHOME |
if (authenticate_user()) {
$authenticated = true;
}
...
?>
May be exploitable, as remote users can simply pass on 'authenticated' as a
form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this misfeature.
While it is quite possible to write secure code in PHP, we felt that the
fact that PHP makes it too easy to write insecure code was bad, and we've
decided to attempt a far-reaching change, and deprecate
register_globals. Obviously, because the vast majority of the PHP code in
the world relies on the existence of this feature, we have no plans to
actually remove it from PHP anytime in the foreseeable future, but we've
decided to encourage people to shut it off whenever possible.
To help users build PHP applications with register_globals being off, we've
added several new special variables that can be used instead of the old
global variables. There are 7 new special arrays:
$_GET - contains form variables sent through GET
$_POST - contains form variables sent through POST
$_COOKIE - contains HTTP cookie variables
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
$_ENV - contains the environment variables
$_REQUEST - a merge of the GET variables, POST variables and Cookie
variables. In other words - all the information that is coming from the
user, and that from a security point of view, cannot be trusted.
$_SESSION - contains HTTP variables registered by the session module
Now, other than the fact that these variables contain this special
information, they're also special in another way - they're automatically
global in any scope. This means that you can access them anywhere, without
having to 'global' them first. For example:
function example1()
{
print $_GET["name"]; // works, 'global $_GET;' is not necessary!
}
would work fine! We hope that this fact would ease the pain in migrating
old code to new code a bit, and we're confident it's going to make writing
new code easier. Another neat trick is that creating new entries in the
$_SESSION array will automatically register them as session variables, as
if you called session_register(). This trick is limited to the session
module only - for example, setting new entries in $_ENV will *not* perform
an implicit putenv().
PHP 4.1.0 still defaults to have register_globals set to on. It's a
transitional version, and we encourage application authors, especially
public ones which are used by a wide audience, to change their applications
to work in an environment where register_globals is set to off. Of course,
they should take advantage of the new features supplied in PHP 4.1.0 that
make this transition much easier.
As of the next semi-major version of PHP, new installations of PHP will
default to having register_globals set to off. No worries! Existing
installations, which already have a php.ini file that has register_globals
set to on, will not be affected. Only when you install PHP on a brand new
machine (typically, if you're a brand new user), will this affect you, and
then too - you can turn it on if you choose to.
Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These
names still work, but we encourage users to switch to the new shorter, and
auto-global versions.
Thanks go to Shaun Clowes (shaun@securereality.com.au) for pointing out
this problem and for analyzing it.
-----------------------------------
Zeev
Originally posted by eva2000
libgdbm.la does exist at /usr/lib
It looks like that is just a warning... does the 'make' command work ok?
Ta :D
woohooo success!
Now - anyone know how to upgrade Zend?
--James
Chris, can ya help me as well? Im still getting this errors, almost on all my VB pages:
PHP Warning: Unknown persistent list entry type in module shutdown (11) in Unknown on line 0
Looks like the 4.1.0 binaries for Windows are now posted as well, although getting them to download might be a problem as the site seems very overloaded right now :)
Originally posted by eva2000
seems like php.net is busy now..
Yes it was even slow very early this morning.... everyone's rushing to get the latest and greatest :)
well i ran make and make install anyway and guess what it worked!
I have PHP 4.1.0 on my raq4 server! :)
THANKS CHRIS! :D
Originally posted by Chris Schreiber
I have PHP 4.1.0 install for over a day now and it's been running well. I left my php.ini setting as is for now.
Eva, what ./configure command are you using, what version of GD do you have installed, and where? well this is my current phpinfo which has gd 1.3.4
i installed GD 1.8.4 for php 4.1.0 but it no longers has a configure option so i did make, make install for gd 1.8.4 which placed gd in /usr/local/include
i think i broke my current gd libraries some how though since an image gallery script i have using gd libraries no longer works
the configure command i used the same as existing one
./configure --prefix=/usr --with-mysql --with-apxs=/usr/sbin/apxs --with-gettext=/usr --enable-safe-mode --with-config-file-path=/etc/httpd --with-exec-dir=/usr/bin --with-zlib --with-gd --enable-magic-quotes --with-regex=system --with-ttf=/usr/lib/libttf.so --enable-track-vars --enable-xml --disable-debug --with-db --with-interbase=shared --with-pgsql=shared --with-ldap --with-imap
well i tried over dozen times to upgrade php 4.1.0 from 4.06 on my raq4 server but even after installing the latest freetype2, jpeg, libpng and gd libraries i get this error on the make command in php 4.1.0 directory
pic -c gd.c
In file included from gd.c:36:
php_gd.h:69: warning: static declaration for `gdImageColorResolve' follows non-static
gd.c:92: conflicting types for `gdIOCtx'
/usr/local/include/gd_io.h:18: previous declaration of `gdIOCtx'
gd.c: In function `zif_imagecreatefromgif':
gd.c:1203: `gdImageCreateFromGif' undeclared (first use in this function)
gd.c:1203: (Each undeclared identifier is reported only once
gd.c:1203: for each function it appears in.)
gd.c: In function `zif_imagegif':
gd.c:1432: `gdImageGif' undeclared (first use in this function)
make[3]: *** [gd.lo] Error 1
make[3]: Leaving directory `/usr/local/src/php-4.1.0/ext/gd'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/php-4.1.0/ext/gd'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/php-4.1.0/ext'
make: *** [all-recursive] Error 1
it's do with gd library that's all i know :(
any ideas ? is it to do with php trying to look for all copies of gd.c on the server ?
i have a copy in /usr/local/src/php-4.06/ext/gd which is my current install of php 4.06
Originally posted by Chris Schreiber
It looks like that is just a warning... does the 'make' command work ok? my mistake that error is when i run make after the ./configure commands
Originally posted by Silviu
I am running MySQL 3.23.43. Perhaps upgrading to MySQL 3.23.46a will help me ? Upgrading is a good thing, but I don't think it will help (but I would be very happy if you proved me wrong :D)
Thanks Chris! :)
Originally posted by WildWayz
Any mirrors out there for linux and windows binaries?
I found www.us2.php.net to be the fastest mirror for me.
Just installed it on my Cpanel server... needed to upgrade cURL and some others but here is the command I used
./configure --with-apxs=/usr/local/apache/bin/apxs --with-xml --with-curl --with-swf=/usr/local/flash --enable-ftp --with-gd=../gd-1.8.4 --with-jpeg-dir=/usr/local --with-xpm-dir=/usr/X11R6 --with-png-dir=/usr --with-ming=../ming-0.2a --enable-magic-quotes --with-mysql --enable-safe-mode --enable-track-vars --with-ttf --enable-versioning --with-zlib
Does this look alright? http://www.insomnia-webhosting.com/phpinfo.php
--James
Originally posted by Silviu
PHP Warning: Unknown persistent list entry type in module shutdown (11) in Unknown on line 0
I'm not sure what's causing that, I didn't have that problem on my server, but I know some other people are getting it. Could you post a link to a phpinfo() page, and I can take a look at some things to see if I can figure out what might be causing the problem.
Originally posted by TommyBALL
Well, the ISAPI may be faster, but it still dies with a "PHP has encountered an Access Violation at ..." after about 20 minutes. Just like the old ISAPI module did. *going back to CGI again* :( Aaargh! Just found the following in the php-bug-tracking system...
http://bugs.php.net/bug.php?id=13408
It's a known bug, and still unresolved :(
Regards
- TommyBALL
Well, the ISAPI may be faster, but it still dies with a:PHP has encountered an Access Violation at ...after about 20 minutes. Just like the old ISAPI module did. *going back to CGI again* :(
Yeap, something might be wrong. I disabled Zend Optimizer, still getting same errors :(
Still, the board is much faster :)
Ta - got it now :D
Anyone know the best way to install it on a Cpanel server?
--James
seems like php.net is busy now.. had to download 4.1.0 from
http://sg.php.net/downloads.php :)
Thanks for the phpinfo Silviu.... I couldn't see anything obvious, but I would try to disable the Zend Optimizer and see if you still get the errors. Otherwise, it might be something specific to the windows binary version of PHP 4.1.
damn - php.net is slow :(
Any mirrors out there for linux and windows binaries?
--James
Eva, try changing --with-gd to read --with-gd=/usr/local and see if that works.
Originally posted by Chris Schreiber
Eva, try changing --with-gd to read --with-gd=/usr/local and see if that works. well that worked and managed to get further on into the configure command being run but stopped short on this error
libtool: link: warning: library `/usr/lib/libgdbm.la' was moved.
libtool: link: warning: library `/usr/lib/libgdbm.la' was moved.
make[1]: Leaving directory `/usr/local/src/php-4.1.0'
Making all in pear
make[1]: Entering directory `/usr/local/src/php-4.1.0/pear'
make[1]: Leaving directory `/usr/local/src/php-4.1.0/pear'
any ideas ?
libgdbm.la does exist at /usr/lib
thanks :)
I am running MySQL 3.23.43. Perhaps upgrading to MySQL 3.23.46a will help me ?
Just installed 4.10 for win, along with zend optimizer for 4.10 . The board is amazingly fast now :)
Still... im getting this error from time to time:
PHP Warning: Unknown persistent list entry type in module shutdown (11) in Unknown on line
I have PHP 4.1.0 install for over a day now and it's been running well. I left my php.ini setting as is for now.
Eva, what ./configure command are you using, what version of GD do you have installed, and where?
Woohoo! I've been waiting for "ages" for this new release. Now, I'll just have to wait for the Windoze binary release :o
Thanks Chris :)
I'm waiting for APC Cache to support PHP 4.1.0... Some of the source needs to be modified to fit into the different framework that this new version is under...
...unless someone here already did it? Nobody on the mailing list for apc has done anything yet.. :(
Interesting they hype Windows performance as being one of the major pros for this release, yet the Windows binary doesn't even exist yet! :D
So has anyone installed it, left their existing php.ini file intact, and found everything ran exactly as before without problems? Did it have a major performance boost?
Note that Zend Optimizer 1.2.0 is out now as well, and "Incorporates a complete set of bug fixes making it run faster and smoother".
Originally posted by WildWayz
Does this look alright? http://www.insomnia-webhosting.com/phpinfo.php
Looks peachy to me :)
wow :cool:
thanks Chris for the heads up :)
 Where's The Advantage In Windows Genuine Advantage?
 Stocks Bounce After S&P Joins Bear Market |
#If you have any other info about this subject , Please add it free.# | |
|
