Those of you monitoring the PHP development mailing list probably know that I've taken over from Andi as far as PHP 5.1 Release Management. Today I am happy to announce the second (yes, I know its RC3) release candidate of PHP 5.1.0 is out and available for testing. You can grab the source snapshots from here: http://downloads.php.net/ilia/ If you have some spare time in the next week or two, please take a moment to try out 5.1.0 and see if it works with your code/programs. Majority of the test suit passes with this releases, so the only remaining the issue are those waiting to be discovered through "real-life" testing.

To all the people who carelessly claim that Cross Site Scripting (XSS) is not a real security problem here is definitive proof that the threat is quite real. A very creative user of MySpace, Samy created a little self propogating worm via a stored XSS attack. He was able to inject raw HTML into his profile by breaking the normally disallowed "javascript" into components, relying on IE to "combine" it back together. This code snippet then utilized XMLHTTPRequest, usually used for Ajax to execute a request in the background that would cause the viewer to transparently add Samy (author of the trick) to their buddy list. The "worm" component of the hack used the same code to insert the attack HTML sequence into the profiles of comprised users allowing the hack to self propagate. The attack process and why it was possible is explain is fair amount of detail here. It should be noted that while Samy was careful not to cause any lasting damage, a more malicious person could have used the same code to do a w...

While coming back with friends from a photo trip this weekend, I've spotted this wonder navigating the parking lot of a shopping mall. I'd try to describe it, but in this case a picture is truly worth a thousand words. Definitely not something that you see every day.

I am happy to announce that the SQL Injection chapter from my book, Guide to PHP Security has been published on MySQL's developer zone. You can find this chapter here.

Here goes the 2nd and hopefully the final release candidate prior to the final 2.7.3 release. Not a whole lot of changes, nearly all of them bug fixes. One welcome addition is the newly deployed Korean translation which brings FUDforum's localization number to 24 (WOW!). Big thanks to all the people who have and continue spending the time adding and updating the translations. This RC offers a small number of bug fixes, which is usually a good sign indicating we are nearing the final release. You can download the installer or upgrade script at the listed links. Some of the "main" changes include the following: Updated the French Translation. Workaround for Solaris that does not support GLOB_BRACE. The message compactor is now fully operational. Fixed a bug with search indexing when PostgreSQL is used. Fixed a bug when posting message to NNTP from the forum where the NNTP server requires authentication.