As you may already know or soon will find out MySQL had released a new version of their community server, 5.0.33. First all congratulations to developers, any release is a lot of work and finally pushing it out the public is definitely an achievement. There are however some interesting and in my eyes less then positive developments pertaining to this release. As you can see from Kaj's announcement as well as the state of the MySQL's download page pre-compiled binaries are no longer offered. The only files available for MySQL 5.0.33 are sources for *NIX and Windows platforms. While this is not an issue for NIX users where lack of binaries will be resolved by distros and if not, the compiler is always available and compiling MySQL is big issue, it does pose a major problem for Windows users who generally do not have access to a C/C++ compiler. This means that all the people who develop on Win32 and then deploy on NIX machines will need to stick to older versions of the database for the dev environme...

Every web developer knows how to make a GET redirect, in fact they've probably done it numerous times. However very few people know the same can be done for POST requests, in some instances completely transparently to the user. This by itself make not seem like an issue, but when you combine it with XSS it can be a very powerful to used to scam users. Consider the following scenario. A user goes to a trusted site where XSS had modified the action field of the login POST form, pointing it to http://p0wn3d.com/post.php. When user submits a request it goes to a 3rd party site, which captures the login credentials and then redirects the POST data to the original site. In the end to the user has no clue something sinister had happened because they never see p0wn3d.com. In fact the everything appears to have worked as intended. So how does this work. Ability to redirect POST comes as a courtesy of the little known 307 redirect code. Which in PHP can be forced in the following manner: [php] header("Location:...

The 2nd release candidate for PHP 5.2.1 is now available for download. The tarballs can be found here: http://downloads.php.net/ilia/php-5.2.1RC2.tar.bz2 (cc6024531e3d4058e32cf740e2fe535f) http://downloads.php.net/ilia/php-5.2.1RC2.tar.gz (3f89c31687762a39f1360b380dd315b4) Since the last release over 30 different bug fixes were made and the two pending patches relating to is_numeric_string() optimization and internal heap protection for the Zend Engine allocator were added. Another important change was the fact that the memory limit is now always enabled and to accommodate this change the default limit value was raised to 128 megabytes to avoid script breakage. We do not anticipate any regressions to be introduced by this RC, but I would still like to ask everyone to take a few minutes and test it against their code base. If you come across any issues report them via http://bugs.php.net/ or reply to this blog post.