PHP is a popular general-purpose scripting language that is especially suited to web development.

Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world.

PHP 5.6.0 released

The PHP Development Team announces the immediate availability of PHP 5.6.0. This new version release comes with new features, some backward incompatible changes and many improvements.

The main features of PHP 5.6.0 include:

For a full list of new features, you may read the new features chapter of the migration guide.

PHP 5.6.0 also introduces changes that affect compatibility:

  • Array keys won't be overwritten when defining an array as a property of a class via an array literal.
  • json_decode() is more strict in JSON syntax parsing.
  • Stream wrappers now verify peer certificates and host names by default when using SSL/TLS.
  • GMP resources are now objects.
  • Mcrypt functions now require valid keys and IVs.

For users upgrading from PHP 5.5, a full migration guide is available, detailing the changes between 5.5 and 5.6.0.

For source downloads of PHP 5.6.0, please visit our downloads page. Windows binaries can be found on windows.php.net/download/. The full list of changes is available in the ChangeLog.

PHP 5.5.16 is released

The PHP Development Team announces the immediate availability of PHP 5.5.16. This release fixes several bugs against PHP 5.5.15 and resolves CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120 and CVE-2014-3597.

All PHP users are encouraged to upgrade to this new version.

For source downloads of PHP 5.5.16, please visit our downloads page. Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

PHP 5.4.32 Released

The PHP development team announces the immediate availability of PHP 5.4.32. 16 bugs were fixed in this release, including the following security-related issues: CVE-2014-2497, CVE-2014-3538, CVE-2014-3587, CVE-2014-3597, CVE-2014-4670, CVE-2014-4698, CVE-2014-5120. All PHP 5.4 users are encouraged to upgrade to this version.

For source downloads of PHP 5.4.32 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

Last 5.3 release ever available: PHP 5.3.29 - 5.3 now EOL

The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5.

For source downloads of PHP 5.3.29, please visit our downloads page. Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

For helping your migration to newer versions please refer to our migration guides for updates from PHP 5.3 to 5.4 and from PHP 5.4 to 5.5.

PHP 5.6.0RC4 is available

The PHP development team announces the immediate availability of the fourth and hopefully last release candidate of PHP 5.6.0. As we entered the feature freeze with beta1, this is a bugfix-only release. All users of PHP are encouraged to test this version carefully, and report any bugs in the bug tracking system.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

For more information about the new features you can check out the work-in-progress documentation or you can read the full list of changes in the NEWS file contained in the release archive.

For source downloads of PHP 5.6.0RC4 please visit the download page. Windows binaries can be found on windows.php.net/qa/.

The stable 5.6.0 release should show up on the 28th of August.

Thank you for helping us make PHP better.

PHP 5.6.0RC3 is available

The PHP development team announces the immediate availability of the third release candidate of PHP 5.6. As we entered the feature freeze with beta1, this is a bugfix-only release. All users of PHP are encouraged to test this version carefully, and report any bugs in the bug tracking system.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

For more information about the new features you can check out the work-in-progress documentation or you can read the full list of changes in the NEWS file contained in the release archive.

For source downloads of PHP 5.6.0RC3 please visit the download page. Windows binaries can be found on windows.php.net/qa/.

Our next Release Candidate should show up on the 14th of August.

Thank you for helping us make PHP better.

Our modern web theme goes live!

The PHP web team are delighted to announce the launch of the new web theme that has been in beta for many months. Lots of hard work has gone into this release and we will be continually improving things over time now that we have migrated away from the legacy theme.

From an aesthetics point of view the general color scheme of the website has been lightened from the older dark purple. Lots of borders and links use a similar purple color to attain consistency. Fonts are smoother, and colors, contrast and highlighting have significantly improved; especially on function reference pages. Code examples should now be much more readable.

The theme is marked up using HTML5 and is generally much more modern. We are using Google Fonts and Bootstrap for our theme base.

To provide valuable feedback, you can use the 'Feedback' widget on the side of the page (not visible on smartphones) and to report bugs, you can make use of the bugs.php.net tracker. Despite our extensive multi-device/multi-browser testing, we may have missed something. So, if you spot any issues please do get in touch.

Special thanks to the guys who helped make this happen, you know who you are!

A further update on php.net

We are continuing to work through the repercussions of the php.net malware issue described in a news post earlier today. As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time.

All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.

As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours.

To summarise, the situation right now is that:

  • JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
  • Neither the source tarball downloads nor the Git repository were modified or compromised.
  • Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
  • SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.

Over the next few days, we will be taking further action:

  • php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.

We will provide a full post mortem in due course, most likely next week. You can also get updates from the official php.net Twitter: @official_php.

A quick update on the status of php.net

On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js. This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging.

It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.

We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers. The highest priority is obviously the source code integrity and after a quick:

git fsck --no-reflog --full --strict

on all our repos plus manually checking the md5sums of the PHP distribution files we see no evidence that the PHP code has been compromised. We have a mirror of our git repos on github.com and we will manually check git commits as well and have a full post-mortem on the intrusion when we have a clearer picture of what happened.

Older News Entries

To Top