PHP 5.2.2 and 4.4.7 Released

daeg writes "PHP 5.2.2 and 4.4.7 have been released with a plethora of security updates. Many of the security notifications come from the Month of PHP Bugs effort, and range from double freed memory to bugs in functions that allow attackers to enable register_globals, to memory corruption with unserialize(), to input validation flaws that allow e-mail header injections, with an unhealthy sprinkling of other bugs and flaws fixed. All administrators that run any version of PHP are encouraged to update immediately."

I want to see someone claim again

[suv4x4 (956391)]

I want to see someone claim that the "month of bugs" projects harms the products involved. From what we saw with Apple and PHP, they finally closed holes gaping for many previous versions.

Now if only could PHP also fix their performance and inconsistencies..

Re:

[KidSock (150684)]

I want to see someone claim that the "month of bugs" projects harms the products involved. From what we saw with Apple and PHP, they finally closed holes gaping for many previous versions.

Now if only could PHP also fix their performance and inconsistencies..

There's nothing "gaping". All the "month of bugs" were non-critical stuff pumped up by Esser for whatever reason I don't know. For example, there were a number of bugs that required the attacker to be able to supply their own code. If the attacker can su

Re:

[suv4x4 (956391)]

At first I thought you were trolling but from your "fix their performance" statement I realize you just don't know what the hell you're talking about.

Right. PHP's the fastest language out there, as proven in this test [debian.org].

Re:

[nxtw (866177)]

That's pretty damning... If C# and Mono are faster, I can only imagine that MS's CLR would be even faster. Java's results vs. PHP are very similar.

Perl is usually better [debian.org] as well, as is Python, Tcl, etc.

In PHP's defense, how does performance compare once some sort of accelerator is involved? Are those fancy output caching engines or do they actually precompile/cache the code or something like that?

Re:I want to see someone claim again

[suv4x4 (956391)]

In PHP's defense, how does performance compare once some sort of accelerator is involved? Are those fancy output caching engines or do they actually precompile/cache the code or something like that?

When you run a PHP file, there are two stages of execution:
[build a parse tree from the source and output bytecodes] [interpret the bytecodes]

The accelerators cache the bytecodes, so next time they are loaded (usually from RAM) and interpreted directly.

However compare with what you get with the CLR by default:
[a compiler builds the parse tree and outputs bytecodes] [opcodes are compiled to machine code] [natively run machine code linked to a runtime library]

You basically never ever repeat the first step more than once there, and in some cases the second. And running as native code is hella faster. A big problem with PHP is it abuses string hashes and fails to do early binding where appropriate (indexed serial arrays, class objects and methods etc.).

So everything you reference in PHP requires a bunch of hash lookups. It's terrible.

Re:

[cortana (588495)]

Surely in a real-world situation you would run the C# app in a separate process and proxy requests from your frontend web server to the separate process via HTTP, FastCGI or SCGI.

Or perhaps even build an interpreter into the web server itself (mod_mono).

Spped problems eliminated.

Re:

[cheater512 (783349)]

In fact, IIRC Mono doesn't even support working as CGI,

Uhh...Anything can run as CGI as long as it can be executed.

Heck you can make a bash script output your website for you. Or even QBASIC.

Re:I want to see someone claim again

[digidave (259925)]

The raw speed of PHP isn't very relevant. It's a language for low to mid-range web apps that is flexible enough to do high-end web apps as well. If your PHP app is slow it's probably due to poor programming or poor database indexing or design. PHP usually takes request data, gathers a database result, shuffles around some data, then displays an HTML page. It's easily fast enough for its purpose.

There are plenty of good criticisms for PHP (and every other language), but performance is only a factor in PHP web apps when the programmers do really stupid things.

Re:

[jsebrech (525647)]

The raw speed of PHP isn't very relevant. It's a language for low to mid-range web apps that is flexible enough to do high-end web apps as well. If your PHP app is slow it's probably due to poor programming or poor database indexing or design. PHP usually takes request data, gathers a database result, shuffles around some data, then displays an HTML page. It's easily fast enough for its purpose.

What's also important is that PHP is meant to be parallelized, which lets it scale better to higher traffic. The l

Re:

[Bill, Shooter of Bul (629286)]

Their framework has terrible speed on their own language.

care to site benchmarks? I saw one that had zend framework doing horribly as well. They were using version 0.4 beta. They're up to .92 beta now. From what I've heard on the news groups its doing better. Take a look at the language shoot out for comparison. Its still much faster than ruby.

Re:

[crayz (1056)]

Yup. And as an ex-PHP coder, I spend about 1% of my time lamenting the performance hit from switching to Ruby. The other 99% of the time is spent glad I'm not using that nightmare of a language any more

Re:I want to see someone claim again

[RzUpAnmsCwrds (262647)]

At first I thought you were trolling but from your "fix their performance" statement I realize you just don't know what the hell you're talking about.

Right. PHP's the fastest language out there, as proven in this test.

You're comparing two completely differnet language types. You might as well compare Java and C++.

Compared to other interpreted (e.g. parse tree is built on the fly rather than by a compiler) languages like Python or Ruby, PHP is about average.

Compare PHP to the CLR (or Mono) or to the JRE, and PHP is going to be way slower.

But calling PHP slow because of some benchmark is just bull. Yes, Java or .NET is faster, and if you're writing an application that does a lot of crunching, by all means you should use a platform that is good at it. There are plenty of good reasons to choose J2EE or ASP.NET over PHP, but performance just isn't one of them in a lot of applications.

The Wikimedia Foundation runs Wikipedia (the 10th most popular website in the world) with PHP and 123 commodity PC servers. What does that prove? It proves that application design and system architecture is FAR more important than what platform you choose. You can run benchmarks all day long, but that doesn't change the fact that Wikipedia does far more with far less than most websites out there - and they do it with PHP.

I serve over 10 million pageviews a month on WS Network [wikinote.com] using PHP, MySQL, and a virtual server with 50MB of memory, a fraction of a 2.4GHz P4, and 100MB of swap. My informal load testing indicates that I could handle as many as 30 pageviews per second (80 million per month) with my current hardware and DB setup.

Maybe I could do more with J2EE or ASP.NET (or, perhaps I could do far less - ASP.NET and J2EE aren't as easy on memory as PHP for small apps). But the fact is that I am doing a hell of a lot already considering the very limited hardware I'm running on.

PHP code execution performance is not, and has never been, a major issue in my experience. It's the same way with Python, Perl, Ruby, and any other "scripting" language. The fact is, you're not going to write an H.264 codec or a PS3 game in Python. But many, many applications are not constrained by CPU performance. 8-core servers are now cheap. 16-core servers will be soon. Changing your language might give you 10x better performance. But architecture and algorithm improvements will probably get you much, much more.

"Performance isn't a problem until it's a problem."

Re:I want to see someone claim again

[shish (588640)]

The Wikimedia Foundation runs Wikipedia (the 10th most popular website in the world) with PHP and 123 commodity PC servers. What does that prove?

Throwing more hardware at a problem will solve anything \o/

I'm running a service which was originally PHP on a throwout box in the corner of my bedroom -- after a few months, the service was so popular the box was in a state of slashdottedness 24/7. I then moved to a shared host, where it ran happily for about a year, until it got so big it started breaking their uber-servers too. I have now rewritten it in python, and moved back to hosting it myself :P

Comparing mono with C# is unfair

[anss123 (985305)]

Mono is a byte compiled language, not interpreted. Even so, PHP is still beaten quite badly by Perl. (In those benchmarks)

Re:I want to see someone claim again

[arodland (127775)]

For example, there were a number of bugs that required the attacker to be able to supply their own code. If the attacker can supply their own code, they can just call popen() or system() and dispense with all the hoopla required to compermise the worker and inject shellcode.

Well actually... no.

PHP enjoys overwhelming popularity in shared-hosting environments, where you put a lot of users on one server, and the users supply the code, but you don't really trust the users. You don't want them to compromise other users' reliability, or break your server, or do anything very interesting... but you still have to let them run their code because that's what the service is. So PHP comes with all sorts of features to facilitate this... "safe mode" and the like. But if there are security issues all through PHP that poke holes in this security model, then you find yourself in a microsoft-esque situation where the security isn't real at all, and you're screwed. Not so pleasant.

Re:I want to see someone claim again

[CopaceticOpus (965603)]

This is where we need to draw a line when talking about how good PHP's security is. For the case of a PHP developer running his own trusted code on a server, PHP can be very secure if the code is well written. That's the developer perspective. The other case is the PHP hosting company or system admin, running other people's untrusted code. In that case, the situation is much trickier. It may be possible to host that code securely, but it will take a lot of work and paying attention to security notices.

So how worried you should be about PHP security comes down to whether you'll be running your own code you trust, or hosting someone else's code you don't trust.

Re:

[cortana (588495)]

If you rely on safe mode to protect your system from your users, and your users from each other, then you have already failed.

The only way to get this kind of security is to rely on the operating system to provide it for you; this is done by running PHP interpreters belonging to different security contexts as seperate users.

With such a setup, the worst the user can do is screw up their own files (boo hoo!). :)

Re:

[nahdude812 (88157)]

The PHP developers acknowledge that safe mode is a failure and PHP6 will not offer this feature. It was never meant to really be a complete sandbox environment, just a way to give a higher-than-usual level of isolation. People took this and expected more out of it than it was really designed to deliver, then criticized it for not being what they hoped it would be. It is already recommended that you use Xen or some other virtualization layer if you wish to sandbox your users.

Re:

[Bert64 (520050)]

Thats why you use something like mpm-peruser...
That way, all the PHP code is executing as the individual web hosting user, and not as the global apache user. Thus:
A bug in one user's site compromises their own account, but cannot mess with any of the other accounts.
You cant stop users running buggy code, and its their own fault if they do. But you certainly should keep that code in a sandbox.

Re:

[laffer1 (701823)]

Its nice to find someone else who sees inconsistency problems with PHP. For those of you PHP users who don't see it, if I have to change code to make things work with PHP then a new release is not compatible with an old release. There are also some oddities in the API. PHP often gets a free pass because its open source and one of the earlier ASP like alternatives.

I think the month of bugs helps consumers in the long term, but its certainly a bitch for the vendor to get flooded with tons of holes at once.

Re:

[laffer1 (701823)]

Sometimes you don't have a choice but to run crap. Either you get stuck on a product before you know its crap and its difficult to migrate or your boss mandates that you install crap.

Besides, if Zend added the code to begin with how does one seperate what is going to go away from what is useful? Are they supposed to read minds? Seems very much like random windows apis that disappear or change.

Re:

[omeomi (675045)]

Now if only could PHP also fix their performance and inconsistencies..

Care to provide examples of either?

Re:

[Dragonslicer (991472)]

I can't speak specifically about performance problems, since I know pretty much nothing about the engine itself, but anyone that doesn't think PHP has consistency issues doesn't use the language enough. There's some pretty serious inconsistency in function naming, though that's pretty much limited to functions that have been in the language for several major versions (array and string functions especially). PHP5 is a huge improvement over older versions, but it would still be nice to be able to completely g

Re:

[omeomi (675045)]

Oh, you just mean naming conventions are inconsistent? I thought you were saying that, for instance, code written in one version of PHP doesn't work in a later version. That's a problem I haven't had. Upgrades have generally been pretty painless for me. And I've found PHP performance to be pretty good. My primary comparisons are with Perl and ColdFusion though, so maybe ASP is a lot quicker, and I just don't know it...

Re:

[Dragonslicer (991472)]

Yeah, the PHP devs have always put a lot of emphasis on maintaining backwards compatibility. Unfortunately, that has the down side of not being able to fix a lot of mistakes that were made in the past.

Examples of PHP inconsistency and performance

[Snover (469130)]

Sure, I'll give you some.

Inconsistent function naming (underscores):

substr_compare() vs.
strcmp()

More inconsistent function naming (verb location):

file_get_contents() vs.
get_html_translation_table()

Even within the same extension:

imagesetstyle() vs.
imagecolorset()

Flipped haystack and needle:

strpos(haystack, needle) vs.
in_array(needle, haystack)

Speed:

Scutigena Computer Language Performance Comparison [sourceforge.net] (see graphs)
There used to be another site that you could compare one language's speed relative to another that also showed PHP as one of the slowest. I can't seem to find it now, though. Also PHP5 might compare a bit more favourably, but this is all I could find after a quick Google search. Perhaps more importantly, PHP drags the speed of other things down (like Apache), since even though the core is supposedly thread-safe, nobody seems to know which extensions are and aren't, so eg. Apache needs to be run in prefork mpm instead of using a threaded mpm.

I think PHP is overall a fairly decent language; I've used it for many years with great success. But it does have major problems, and it would be nice for them to get fixed instead of pushed aside. (I read some minutes from a PHP 6 meeting a while ago where they touched on the issue of consistency, and the PHP Group decided that it wasn't important enough to fix. It's really annoying to me to need a PHP-aware IDE or a manual always handy to program in a language because the arguments and function names are so non-uniform.)

Re:

[Renegade88 (874837)]

There used to be another site that you could compare one language's speed relative to another that also showed PHP as one of the slowest.

Yep, there still is. I think you are thinking about this one:
Computer Language Benchmarks Game [debian.org]>

That site features 19 programs implemented in 33 languages. Each program stresses something. You can see relative execution times and memory use, and it lets you pit one specific language and another and see how they compare.

Yes, PHP loses in pretty much every perfo

Re:Examples of PHP inconsistency and performance

[jsebrech (525647)]

Perhaps more importantly, PHP drags the speed of other things down (like Apache), since even though the core is supposedly thread-safe, nobody seems to know which extensions are and aren't, so eg. Apache needs to be run in prefork mpm instead of using a threaded mpm.

This is my main beef with PHP. They have their head in the sand with regards to server configuration.

Case in point: the company I work for sells PHP-based service center and reservations systems to large companies. These companies generally have windows-based server infrastructures, so we have to deploy on windows/IIS. If you look at the suggested configuration for PHP on IIS in the PHP manual, you'll find this page [php.net], which explains regular CGI and ISAPI (multi-threaded) configurations. What the manual doesn't tell you is that neither of these configurations actually work in production environments. Regular CGI configurations are too slow (on windows), and ISAPI is too unreliable (customers that deployed with ISAPI configurations suffered daily server hangs).

The only viable configuration for production IIS servers, as it turns out, is FastCGI, which is not documented in PHP's manual section on IIS configuration. Their documentation actively misinforms people on how to configure PHP. That's bad.

Bad release practices

[daeg (828071)]

I no longer use PHP, but these two releases highlight one of the things I hated the most about PHP. Every release, even minor "bugfix" releases (5.2.1 to 5.2.2) always do more than fix security and blocker bugs. That means that even if you're only updating to fix the mail() function, you have to run your entire site/system through testing to ensure the update didn't mysteriously break something else.

See, for example, the 4.6.6 release notes [php.net]:

The PHP development team would like to announce the immediate availability of PHP 4.4.6. This release addresses a crash problem with the session extension when register_globals is turned on that was introduced in PHP 4.4.5. This release comes also with the new version 7.0 of PCRE and it addresses a number of minor bugs.

That means that 4.4.5 introduced a major crash problem in a module every PHP website uses. How does that get missed? Also, why does that release also simultaneously bundle a new library version AND fix other "minor bugs"? Release the crash fix and that's it! Keep new features/minor bug fixes to point releases (4.5), not minor point versions.

Thank god Python doesn't do that. At least they keep all the big changes to individual versions!

Re:

[atrus (73476)]

I've personally always hated this too. They can't keep anything straight, and the core of PHP is a giant ball of inconsistency. I used to write PHP code. I mainly do Java with some Python or Perl on the side. All of them are far better in tools and workability than PHP. PHP just seems to outright encourage sloppy "just make it work" programming, which leads to all sorts of really really bad PHP "programs" (though some are good, when they're not weighed down by the language).

Re:Bad release practices

[Ambush Commander (871525)]

What you're missing is that fact that PHP uses the three digit version numbering system to mean something slightly different than what you're used to. Increments in the 0.x.0 number indicate, besides major changes in the language, that extension compatibility was broken and thus they need to be recompiled (to see a great example of this, check PHP 4.4). 0.0.x releases do contain feature releases, but you don't have to worry about extensions breaking.

Firefox does the same thing too, except they end up stepping on extension authors feet when they increment the third version number! That's why they introduced a fourth number 0.0.0.x for memory leak / security fixes. But Firefox has the luxury of an auto-update system: something PHP doesn't have. It is in both sysadmin's and PHP's developer's best interests to not be releasing new versions every other week.

Re:

[elronxenu (117773)]

Hmm, wouldn't they be better off with X.Y.Z, where:

• X means "functionality improvements" (relative to X-1)
• Y means "bugs fixed" (relative to X.Y-1)
• Z means "security fixes" (relative to X.Y.Z-1)

?

Re:Bad release practices

[Dragonslicer (991472)]

Yeah, I hate to admit it, but release management hasn't been the PHP developers' strength lately. I think 5.1.0 might have been the biggest screwup, where, after I think 7 release candidates, somebody committed new code a few days before the final release that created a builtin class named 'Date'. The thousands of people that used the PEAR class named 'Date' weren't too happy. In an amusing twist of irony, the developer that committed the code was a staunch opponent of adding namespaces to PHP.

Re:

[TooMuchToDo (882796)]

Any online resources or books you could suggest to help someone looking to write web apps in Python?

Re:

[daeg (828071)]

As a good start, i recommend Django [djangoproject.com]. It's a nice framework that takes care of a lot for you, but still lets you write Python. They have a few tutorials as well as a good community and an ongoing project, The Django Book [djangobook.com]. I transitioned directly from PHP to Python without any books. Most coding forms transition directly over to Python. As you learn more Python, you'll find shortcuts, e.g., the list constructs and lambda functions.

I also recommend reading over PEP 0008 [python.org], the "standard" coding structure for the

Re:

[VGPowerlord (621254)]

Ugh... the old spaces vs. tabs debate.

I used to fall on the spaces side until I realized how iritating it is to respace things when you move down an indentation level and you're not using an IDE.

I've been a staunch tab supporter ever since.

It's not just that, either. If one uses tabs, then anyone else who has to edit it can set the tab size to whatever they wish. If Paul has a super widescreen monitor and wants his tab size set to 16 characters, more power to him! If George has a super small monitor and

Re:

[cortana (588495)]

Basically the problem is that there are a lot of people out there that don't know how to use their editors; and a lot of broken editors that default to inserting 8 spaces when the user presses the tab key.

The Tab key is not a shortcut for pressing space 8 times, damnit!

Re:

[Dragonslicer (991472)]

I usually hate to comment on moderation, but I don't quite see how this is flamebait. Nobody in their right mind has used register_globals for several years now (well, anybody that knew what they were doing never used them at all, but some of us were still newbies back then). It really is a giant bug just waiting to happen.

Re:

[cortana (588495)]

Yeah and one effect of that is that lot of old crappy PHP 'applications' reimplement it themselves... *bashes head against wall*

Hate to whine, but...

[Jasin Natael (14968)]

I failed to include support for curl when 5.2.1 came out and just spent close to an hour waiting for PHP 5.2.1 to compile, yesterday. Guess it's time to run ./configure again.

Most of these bugs are completely preventable

[chatgris (735079)]

There is really no excuse for those memory bugs. There are free, simple tools that check C code and memory management (and php itself is written in C).

"double freed memory to bugs in functions that allow attackers to enable register_globals, to memory corruption with unserialize()"

The authors of php should use valgrind, and with a few test cases, could virtually eliminate memory errors.

Memory errors have been around for so long that there are numerous tools for dealing with them, many of them free. I know

Re:You must be mistaken.

[MrMunkey (1039894)]

I'm not sure if you had some /sarcasm there or not. I'll assume not and say that you're partly right.

I'm a PHP developer. I love PHP because I haven't come across anything that I can not do with it yet. Does that mean it's the best programming language ZOMG 3V3R! No. PHP is a pretty good general purpose web scripting language. Like all the other languages out there, it has bugs or features that haven't been implemented or thought of yet, and that's why there are version numbers.

PHP does suffer some of the same issues that C++ has suffered in the past, and they are due to the fundamental ideas of the project. PHP doesn't have a framework for you to do everything. I guess that mostly comes up with ASP and probably Ruby, but I'm a little under read on Ruby. Much like the C++ vs. Java debate, C++ makes you do things yourself (or at least you need to know about the community projects that make life easier... like smart pointers and the like). That's pretty much the same with PHP. You have the base functions, and there are extensions you can get to help, but MVC and other parts of frameworks are left for you to decide what you want or need for your project.

So, with that in mind, security is also left up to the developer. PHP 5.2.x has made a lot of great strides in helping out by introducing the Filter extension and others. If people do not filter/escape the input/output from their pages, they're just opening up a can of worms. I'm a firm believer in saying it's easier to filter yourself than undo a filter that the system did for you automatically.

PHP has its issues, but I don't think it would be as popular as it is if PHP didn't serve a purpose and do it somewhat well.

Re:

[Jasin Natael (14968)]

For multi-threading, install a shared-memory cache, like apc, eAccelerator, or mmcache -- or use an in-memory table in your RDBMS. Now, you can spawn background tasks and monitor their progress or receive return values through the cache. You can even start a task as a server and keep it running indefinitely with set_time_limit(). I do plenty of unicode apps as UTF-8, and haven't had problems yet. If you're talking about UCS-2, then you have a good case. It's in development [php.net], but it's for PHP 6. Honestl

Re:

[Dragonslicer (991472)]

PHP never has any security problems, its just people writing bad software in it that gives it a bad reputation.

Are you implying that those two items are mutually exclusive? I would be very impressed with any software project beyond "Hello World" that has never had a security problem. Having said that, a lot of the negative reputation is because people who haven't written more than 10 lines of PHP code think that phpBB and phpNuke demonstrate the only possible way to write PHP. Any language that lets you ru

Re:

[Craig Maloney (1104)]

Here's a link to Secunia's Tomcat 5 advisories, one of which is a remote code buffer overflow exploit.
http://secunia.com/product/3571/?task=advisories [secunia.com]

So yes, while PHP's advisories are about 10 orders of magnatude more numerous than Tomcat's, it still "bug that would let a remote user execute code or change configuration settings or read files or doing a double-free or any of that kind of thing".

And trust me, it's just as easy to create fragile code in Java that can open your server like goatse as it is in

Re:

[VGPowerlord (621254)]

PHP is just some hyped, misdesigned, inconsistent, unproductive kinda tool.

Unfortunately, mod_php is still more programmer and administrator friendly than mod_perl, which probably explains why it has a higher usage rate.

Try Fastcgi

[TheLink (130905)]

If you don't need total control over how Apache behaves, use mod_fastcgi not mod_perl. For fastcgi typically the webserver forks off the webapp as a separate _persistent_ process and then they talk to each other via a socket (you could actually have the webapp on a separate machine, but I haven't had much need to do that yet). Fastcgi apps can be coded similar to CGI/mod_perl apps there's just a loop around the "Fastcgi accept" call.

With fastcgi you can use perl, python, ruby, C++ or whatever - just like yo

Re:

[VGPowerlord (621254)]

I've tried using Perl with FastCGI before. It bugged me that you have to manually loop the accept call. It means that you have to wrap any code written for plain CGI... something that mod_perl's Apache::Request does for you.

Re:

[TheLink (130905)]

Didn't bug me that much, coz I usually wanted to do some useful stuff before the loop, like make persistent database connections, initialize caches, set up logging to syslog, set up other stuff.

The mod_perl stuff tries to do the persistent DB stuff but in a kludgy untidy way that has a lot more gotchas. Same for PHP's mysql_pconnect. Go see people say "turn off persistent DB connections" in one answer and then "turn on persistent DB connections" in another answer ;).

I've tried mod_perl, FastCGI is cleaner,

Re:

[CopaceticOpus (965603)]

PHP is getting better. They are cleaning up security issues, and providing more and more of a solid core of capabilities. I just wish that the users were more excited about these developments. I can't understand why so many continue to develop in PHP4. Every change and step forward gets a mixed response.

Personally, I'm all for breaking conventions if it will result in making PHP a better language. I wish that they would bite the bullet and rename all the functions to follow a consistent style in PHP6. T