5.1.02005-11-24stablePHP 5.1.0. Release Announcement
The PHP development team is proud to announce the release of PHP [PHP 5.1.0](/downloads.php).
Some of the key features of [PHP 5.1.0](/downloads.php) include:
- A complete rewrite of date handling code, with improved timezone support.
- Significant performance improvements compared to PHP 5.0.X.
- PDO extension is now enabled by default.
- Over 30 new functions in various extensions and built-in functionality.
- Bundled libraries, PCRE and SQLite upgraded to latest versions.
- Over 400 various bug fixes.
- PEAR upgraded to version 1.4.5
For a full list of changes in PHP 5.1.0, see the [ChangeLog](/ChangeLog-5.php#5.1.0).
In addition to new features, this release includes a number of important security fixes:
- Fixed a Cross Site Scripting ([XSS](http://www.cgisecurity.com/articles/xss-faq.shtml)) vulnerability in [phpinfo](/phpinfo)() that could lead f.e. to cookie exposure, when a phpinfo() script is accidently left on a production server.
- Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions.
- Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see [here](http://www.hardened-php.net/globals-problem)).
- Fixed a problem when a request was terminated due to memory_limit constraints during certain [parse_str](/parse_str)() calls. In some cases this can result in register_globals being turned on.
- Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names.
- Fixed an issue with calling [virtual](/virtual)() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir.
- Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in [CAN-2005-2491](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491).
- Possible header injection in mb_send_mail() function via the "To" address, the first parameter of the function.
All users of PHP 5.0 and early adopters of 5.1 betas are strongly advised to upgrade to 5.1 as soon as possible. Furthermore, 5.1 branch obsoletes the 5.0 PHP branch.
[Upgrading Guide](/migration51) is available to ease the transition from prior PHP versions.pg_transaction_status() - in-transaction status of a database connection.pg_query_params() - execution of parameterized queries.pg_prepare() - prepare named queries.pg_execute() - execution of named prepared queries.pg_send_query_params() - async equivalent of pg_query_params().pg_send_prepare() - async equivalent of pg_prepare().pg_send_execute() - async equivalent of pg_execute().pg_result_error_field() - highly detailed error information, most importantly the SQLSTATE error code.pg_set_error_verbosity() - set verbosity of errors.array_diff_key() (Andrey)array_diff_ukey() (Andrey)array_intersect_key() (Christiano Duarte)array_intersect_ukey() (Christiano Duarte)array_product() (Andrey)DomDocumentFragment::appendXML() (Christian)fputcsv() (David Sklar)htmlspecialchars_decode() (Ilia)inet_pton() (Sara)inet_ntop() (Sara)mysqli::client_info property (Georg)posix_access() (Magnus)posix_mknod() (Magnus)SimpleXMLElement::registerXPathNamespace() (Christian)stream_context_get_default() (Wez)stream_socket_enable_crypto() (Wez)stream_wrapper_unregister() (Sara)stream_wrapper_restore() (Sara)stream_filter_remove() (Sara)time_sleep_until() (Ilia)general execution/compilation. (Andi, Thies, Sterling, Dmitry, Marcus)switch() statement. (Dmitry)several array functions. (Marcus)virtual path handling by adding a realpath() cache. (Andi)variable fetches. (Andi)magic method invocations. (Marcus)added constructor for mysqli_stmt and mysqli_result classesadded new function mysqli_get_charset()added new function mysqli_set_charset()added new class mysqli_driveradded new class mysqli_warningadded new class mysqli_exceptionadded new class mysqli_sql_exceptionMoved RecursiveArrayIterator from examples into extensionMoved RecursiveFilterIterator from examples into extensionAdded SplObjectStorageMade all SPL constants class constantsRenamed CachingRecursiveIterator to RecursiveCachingIterator to follow Recursive<*>Iterator naming scheme.added standard hierarchy of Exception classesadded interface Countableadded interfaces Subject and SplObserveradded spl_autoload*() functionsconverted several 5.0 examples into c codeadded class SplFileObjectadded possibility to use a string with class_parents() and class_implements(). (Andrey)PCRE library to version 6.2. (Andrei)SQLite 3 library in ext/pdo_sqlite to 3.2.7. (Ilia)SQLite 2 library in ext/sqlite to 2.8.16. (Ilia)zlib 1.2.3curl 7.14.0openssl 0.9.8ming 0.3blibpq (PostgreSQL) 8.0.1ext/cpdf (Tony, Derick)ext/dio (Jani, Derick)ext/fam (Jani, Derick)ext/ingres_ii (Jani, Derick)ext/mnogosearch (Jani, Derick)ext/w32api (Jani, Derick)ext/yp (Jani, Derick)ext/mcve (Jani, Derick, Pierre)ext/oracle (Jani, Derick)ext/ovrimos (Jani, Derick, Pierre)ext/pfpro (Jani, Derick, Pierre)ext/dbx (Jani, Derick)ext/ircg (Jani, Derick)