On the main PHP site there's a new announcement about a critical update in a new version to both the PHP 5.2.x and 5.3.x series of releases to correct a problem that could cause a hang or crash from user input - 5.3.5 and 5.2.17.

The PHP development team would like to announce the immediate availability of PHP 5.3.5 and 5.2.17. This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers. The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users are strongly encouraged to update their releases. While the problem only happens in certain circumstances, it can still be a huge problem since the data comes directly from the user. For more information about the issue see this post.

As reported by both The Register and Zend, there's a new remote exploit bug that possibly has something to do with the way 32-bit processors handle floating point numbers.

From Zend:

Due to the way the PHP runtime handles internal conversion of floating point numbers, it is possible for a remote attacker to bring down a web application simply by adding a specific parameter to a query string in their web browser.

The bug, found here on bugs.php.net, has been reproduced on Windows and 32-bit linux systems and can cause the server hang and/or crash as a result. The real issue comes from this bug on the x87 FPU design. The bug has already been fixed in the latest SVN versions (including 5.2 that was end-of-life recently). A release to fix the issue should be coming shortly.

On his IIS.net blog Don Raman is asking for help in testing Microsoft's WinCache caching tool because of a critical fix they had to make to the current version.

There has been several instances where people using WINCACHE have reported problem while running it on the actual production server. They have complained that WINCACHE works very well on development server but the users can see a crash (or different symptoms of it) while actually deploying it on a live production server.

There have been several reports of the issue where the site visitor gets an empty page back and WinCache will crash. For those wanting to get into the technical details, the post includes them or, if you just want to find out more about the bug, there's a few email addresses you can contact the WinCache team at.

On the Ibuildings techPortal blog today there's a new article (a case study of sorts) on how to survive a plane crash. More specifically, a look at how the NU.nl news website handled the load as a result of the crash of a Turkish Airliner.

On February 25th, 2009, less than 90 days after the new infrastructure was rolled out, it was stress tested when a Turkish Airliner crashed at Schiphol. On that day the new site set a single day traffic record by serving up 21 million page views in a 24 hour time period, all without any noticeable slowdown and without having to bring additional hardware online to handle the additional load.

Their framework of choice, CodeIgniter, allowed then to create snippets of content - cached versions - that could be pulled and displayed without having to render them every single time. They looked into the Varnish project and a ATK-based CMS to piece it all back together.

Stefan Esser has released the latest version of his Suhosin security patch for PHP:

Yesterday I released Suhosin 0.9.17 in response to a bug report by Ilia Alshanetsky and some crash problems with PHP 4 that were reported during the last weeks.

The issue dealt with a method to "bypass the hard_memory_limit of Suhosin due to a bug in PHP" that could result in memory consumption up into the gigabyte range for a single script. The patch takes care of the issue by not allowing negative memory_limit settings, preventing the problem from happening.

The PHP group has released the latest version of the PHP 4.4.x series today - PHP 4.4.6:

The PHP development team would like to announce the immediate availability of PHP 4.4.6. The main issue that this release addresses is a crash problem that was introduced in PHP 4.4.5. The problem occurs when session variables are used while register_globals is enabled. Details about the PHP 4.4.6 release can be found in the release announcement for 4.4.6, the full list of changes is available in the ChangeLog for PHP 4.

Head on over to your local downloads page to get this new release in either:

• tar.bz2 format
• tar.gz format
• Windows binaries

Based on some perspectives he gained at this year's PHP Appalachia event and at a Triangle-PHP meeting (talking with David Rasch, Ben Ramsey shares his thoughts on how to teach PHP, more specifically to those with some programming background, but not necessarily a lot of experience.

He (David) suggested that the format for teaching PHP needs to change and that these books need to start not by teaching PHP from the Web but by introducing newbies to PHP concepts by creating command-line applications. The idea being to introduce them early on to OOP and best practices, rather than trying to get them started fast with a simple "Hello, World" Web site.

For Ben, the idea was agreeable, but he wasn't sure on whether or not such an approach would take off with the current book market. He does agree with David, though, that things need to change.

As far as David, his thoughts can be best summed up with this post on his blog, talking about a way to learn PHP without some of the drudge they pass along with the lessons in some of the "Learn PHP Now!" kinds of books. He even includes a table of contents for such a book.

So, which is the better of the two? Well, book publishers still think the second (the give examples and teach practices too) is the proven formula for a good PHP book, but maybe a company out there could benefit from Ben and David's suggestion of a no-nonsense, clean, easy book that fosters an approach supporting the basics, not someone's opinion of good code.

Cal Evans is attending this year's php/db|works conference up in Toronto and has reported back with his summary of the first day of the conference - "Tutorial Day".

Day One at php|works was dedicated to tutorials. Paul Reinheimer did a 6 hour crash course for those who wanted to take the Zend Certification Test here at the conference. I talked with a three attendees at the Crash Course to get their opinion on how it was going. Cairan Walsh, who is not currently Zend Certified found the course interested although he thought maybe it was a bit too basic.

Cal notes that just about everyone that attended the "Crash Course" was pleased with the contents/teacher/etc. He also mentions his visits to the "Advanced XML and Web Services" and "Extending PHP" tutorials.

On the main PHP site there's a note about the latest release of the language - PHP 5.1.6.

The PHP development team would like to announce the immediate availability of PHP 5.1.6. This release contains a fix for memory_limit restriction on 64 bit systems that was not included in PHP 5.1.5.

They also corrected this bug, an issue with the "php://stdin" (and the like) functionality that caused crashes on Windows systems.

You can grab this latest update from the Downloads page in both the source and Windows binaries distributions.

According to this new advisory on the Hardened-PHP project's site, there are some issues with the Zend Platform product that could cause a number of security issues becaue of malformed session IDs.

During the development of suhosin, which is our new PHP protection module, several compatibility tests with binary 3rd party PHP extensions like the Zend Platform and the Zend Optimizer have been made. When testing the session protection features of suhosin, we discovered that the session clustering system, which is shipping with the Zend Platform is vulnerable to several different attacks.

They mentions a few things a potential attacker could use this issue for, including crashing the session daemon, remote code execution, and being able to view and write files of their choice (like session files) to execute malicious code.

The details are listed out, but a "proof of concept" isn't published for this exploit. Thankfully, Zend has already provided a patch for the issue which can be downloaded at Zend's website (an upgrade to version 2.2.1a).