PHP 7.0.7

PHP is a scripting language primarily suited for web applications. It's organically grown into a full-featured programming language, with huge semantic progress in recent years (apart from the namespace separator choice). Many features and extensions come built-in or can be dynamically loaded. Database interfaces, XML processing, regular expressions, networking and broad internet protocol support, IPC, internationalization, image manipulation, filesystem, contemporary cryptography support, file and data format support make the Zend-based PHP.net distribution the most general-purpose PHP runtime.

Tags php scripting programming-language web
License PHPL
State stable

Recent Releases

7.0.727 May 2016 01:20 major bugfix: Core: Fixed bug #72162 (use-after-free - error_reporting). Add compiler option to disable special case function calls. Fixed bug #72101 (crash on complex code). Fixed bug #72100 (implode() inserts garbage into resulting string when joins very big integer). Fixed bug #72057 (PHP Hangs when using custom error handler and typehint). Fixed bug #72038 (Function calls with values to a by-ref parameter don't always throw a notice). Fixed bug #71737 (Memory leak in closure with parameter named this). Fixed bug #72059 (?? is not allowed on constant expressions). Fixed bug #72159 (Imported Class Overrides Local Class Name). Curl: Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). DBA: Fixed bug #72157 (use-after-free caused by dba_open). GD: Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456) Intl: Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093) JSON: Fixed bug #72069 (Behavior JsonSerializable different from json_encode). Mbstring: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace). OCI8: Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight columns). Opcache: Fixed bug #72014 (Including a file with anonymous classes multiple times leads to fatal error). OpenSSL: Fixed bug #72165 (Null pointer dereference - openssl_csr_new). PCNTL: Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite). POSIX: Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL). Postgres: Fixed bug #72028 (pg_query_params(): NULL converts to empty string). Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype timestamp). Fixed bug #72151 (mysqli_fetch_object changed behaviour).
7.0.531 Mar 2016 14:30 major bugfix: Call-by-reference widens scope to uninvolved functions when used in switch, Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod, Global variables are reserved before execution, Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397, Strings used in pass-as-reference cannot be used to invoke C:: callable(, Segmentation fault on ZTS with date function (setlocale, Integer overflow in zend_mm_alloc_heap(, Leaked 1 hashtable iterators, ISO C does not allow extra ; outside of a function, yield from does not count EOLs, ReflectionMethod::getDocComment returns the wrong comment, php_strip_whitespace(, `php -R` (PHP_MODE_PROCESS_STDIN, Call-by-reference widens scope to uninvolved functions when used in switch, Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod, Global variables are reserved before execution, Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397, Strings used in pass-as-reference cannot be used to invoke C:: callable(, Segmentation fault on ZTS with date function (setlocale, Integer overflow in zend_mm_alloc_heap(, Leaked 1 hashtable iterators, ISO C does not allow extra ; outside of a function, yield from does not count EOLs, ReflectionMethod::getDocComment returns the wrong comment, php_strip_whitespace(, `php -R` (PHP_MODE_PROCESS_STDIN, Support MKCALENDAR request method, Support MKCALENDAR request method, Support constant CURLM_ADDED_ALREADY, Support constant CURLM_ADDED_ALREADY, DatePeriod::getEndDate segfault, DatePeriod::getEndDate segfault, Buffer over-write in finfo_open with malformed magic file, Buffer over-write in finfo_open with malformed magic file, Access Violation crashes php-cgi.exe, Access Violation crashes php-cgi.exe, AddressSanitizer: negative-size-param (-1, AddressSanitizer: negative-size-param (-1, Executing prepared statements is succesfull only for the first two statements, Executing prepared statements is succesfull only for the first two statements
7.0.118 Dec 2015 22:41 major bugfix: Several bugs have been fixed. Format String Vulnerability in Class Name Error Message. Compile fails on system with 160 CPUs. Symbol referencing errors on Sparc/Solaris. When using parentClass:: instead of parent::, static context changed. Segfault when combining error handler with output buffering. Weird error handling for __toString when Error is thrown. Invalid opcode while using ::class as trait method paramater default value. try finally can create infinite chains of exceptions. Two errors messages are in conflict. yield from incorrectly marks valid generator as finished. buildconf failure in extensions. SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions. Fixed int (or generally every scalar type name with leading backslash) to not be accepted as type name. Fixed exception not being thrown immediately into a generator yielding from an array. static::class within Closure::call() causes segfault. Incorrect exception handler with yield from. Fixed double free in error condition of format printer.
7.0.003 Dec 2015 00:00 major feature: PHP 7.0.0 comes with new version of the Zend Engine with features such as: Improved performance: PHP 7 is up to twice as fast as PHP 5.6. Consistent 64-bit support. Many fatal errors are now Exceptions. Removal of old and unsupported SAPIs and extensions. The null coalescing operator (??). Combined comparison Operator (). Return Type Declarations. Scalar Type Declarations. Anonymous Classes.
7.0.0rc124 Aug 2015 18:25 minor feature: PHP 7.0.0 RC 1 contains fixes for 27 reported bugs, and altogether over 200 commits with various stability improvements for database, array, assert, streams and other functionality. PHP 7.0.0 comes with new version of the Zend Engine with features such as: Improved performance: PHP 7 is up to twice as fast as PHP 5.6. Consistent 64-bit support. Many fatal errors are now Exceptions. Removal of old and unsupported SAPIs and extensions. The null coalescing operator (??). Combined comparison Operator (). Return Type Declarations. Scalar Type Declarations. Anonymous Classes.
7.0.0-alpha112 Jun 2015 21:35 major feature: PHP 7.0.0 Alpha 1 is a non-production development preview of the PHP7 major series with new version of the Zend Engine. The list of new features entails: Improved performance: up to twice as fast as PHP 5.6. Consistent 64-bit support. Many fatal errors are now Exceptions. Removal of old and unsupported SAPIs and extensions. The null coalescing operator (??). Combined comparison Operator (). Return Type Declarations. Scalar Type Declarations. Anonymous Classes.
5.6.1012 Jun 2015 21:25 minor bugfix: Temp. directory is cached during multiple requests, Conditional jump or move depends on uninitialised value in extension trait, Strange generator+exception+variadic crash, complex GLOB_BRACE fails on Windows, OS command injection vulnerability in escapeshellarg, Incorrect handling of paths with NULs, temp. directory is cached during multiple requests, Conditional jump or move depends on uninitialised value in extension trait, Strange generator+exception+variadic crash, complex GLOB_BRACE fails on Windows, OS command injection vulnerability in escapeshellarg, Incorrect handling of paths with NULs, Integer overflow in ftp_genlist(, Integer overflow in ftp_genlist(, GD fails to build with newer libvpx, GD fails to build with newer libvpx, iconv with //IGNORE cuts the string, iconv with //IGNORE cuts the string, Unchecked return value, Unchecked return value, mail(, mail(, ) (Leigh, ) (Leigh, Memory leak with opcache.optimization_level=0xFFFFFFFF, Memory leak with opcache.optimization_level=0xFFFFFFFF, CVE-2015-2325, CVE-2015-2326, CVE-2015-2325, CVE-2015-2326, phar symlink in binary directory broken, phar symlink in binary directory broken, segfault in php_pgsql_meta_data, segfault in php_pgsql_meta_data.
5.6.914 May 2015 00:00 minor bugfix: Wrong checked for the interface by using Trait, Invalid read in zend_std_get_method, "use statement ... has no effect" depends on leading backslash, Segmentation fault in gc_remove_zval_from_buffer, segmentation fault in destructor, Returning compatible sub generator produces a warning, php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA, PHP Multipart/form-data remote dos Vulnerability, CVE-2015-4024, str_repeat(, CVE-2006-7243 fix regressions in 5.4+, CVE-2015-4025, heap buffer overflow in unpack(, Wrong checked for the interface by using Trait, Invalid read in zend_std_get_method, "use statement ... has no effect" depends on leading backslash, Segmentation fault in gc_remove_zval_from_buffer, segmentation fault in destructor, Returning compatible sub generator produces a warning, php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA, PHP Multipart/form-data remote dos Vulnerability, CVE-2015-4024, str_repeat(, CVE-2006-7243 fix regressions in 5.4+, CVE-2015-4025, heap buffer overflow in unpack(, Integer overflow in ftp_genlist(, CVE-2015-4022, Integer overflow in ftp_genlist(, CVE-2015-4022, Incorrect use of SQLColAttributes with ODBC 3.0, ODBC: Query with same field name from two tables returns incorrect result, out of memory with sage odbc driver, Incorrect use of SQLColAttributes with ODBC 3.0, ODBC: Query with same field name from two tables returns incorrect result, out of memory with sage odbc driver, Reading empty SSL stream hangs until timeout, Reading empty SSL stream hangs until timeout, pcntl_exec(, CVE-2015-4026, pcntl_exec(, CVE-2015-4026, CVE-2015-2325, CVE-2015-2326, CVE-2015-2325, CVE-2015-2326, Memory Corruption in phar_parse_tarfile when entry filename starts with null, CVE-2015-4021, Memory Corruption in phar_parse_tarfile when entry filename starts with null, CVE-2015-4021
5.6.720 Mar 2015 23:45 major bugfix: Core: leaks when unused inner class use traits precedence. Crash in gc_zval_possible_root on unserialize. Segfault in get_current_user when script owner is not in passwd with ZTS build. Segfault when calling ob_start from output buffering callback. pointer returned by php_stream_fopen_temporary_file not validated in memory.c. Exception with invalid character causes segv. Missing arguments in reflection info for some builtin functions. Use After Free Vulnerability in unserialize(). (CVE-2015-0231) Per Directory Values overrides PHP_INI_SYSTEM configuration options. move_uploaded_file allows nulls in path. CGI: php-cgi's getopt does not see argv. CLI: auto_prepend_file messes up __LINE__. cURL: PHP_MINIT_FUNCTION does not fully initialize cURL on Win32. Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl. Ereg: heap overflow vulnerability in regcomp.c. (CVE-2015-2305) FPM: request time is reset too early. ODBC: Allowed memory size exhausted with odbc_exec. Opcache: Opcache causes problem when passing a variable variable to a function. Array numeric string as key. switch(SOMECONSTANT) misbehaves. OpenSSL: Segmentation fault at openssl_spki_new. encrypted streams don't observe socket timeouts. use strict peer_fingerprint input checks. IP Address fields in subjectAltNames not used. SAN match fails with trailing DNS dot. Add signatureType to openssl_x509_parse. Inconsistent stream crypto values across versions. pgsql: pg_update() fails to store infinite values. Readline: Null dereference in readline_(read write)_history() without parameters. SOAP: SoapClient's __call() type confusion through unserialize(). SPL: "Segmentation fault" when (de)serializing SplObjectStorage. RecursiveDirectoryIterator::seek(0) broken after calling getChildren(). ZIP: ZIP Integer Overflow leads to writing past heap boundary. (CVE-2015-2331)
5.6.419 Dec 2014 11:45 major bugfix: Some Zend headers lack appropriate extern "C" blocks, Segfault while pre-evaluating a disabled function, "Inconsistent insteadof definition."- incorrectly triggered, Inconsistency in example php.ini comments, "unset( this, Incorrect argument reflection info for array_multisort(, NULL pointer dereference in unserialize.c, Array constant not accepted for array parameter default, Use after free vulnerability in unserialize(, Some Zend headers lack appropriate extern "C" blocks, Segfault while pre-evaluating a disabled function, "Inconsistent insteadof definition."- incorrectly triggered, Inconsistency in example php.ini comments, "unset( this, Incorrect argument reflection info for array_multisort(, NULL pointer dereference in unserialize.c, Array constant not accepted for array parameter default, Use after free vulnerability in unserialize(, fpm_unix_init_main ignores log_level, listen=9000 listens to ipv6 localhost instead of all addresses, access.format=' R' doesn't log ipv6 address, PHP-FPM will no longer load all pools, listen.allowed_clients is IPv4 only, php-fpm man page is oudated, Change pm.start_servers default warning to notice, listen.allowed_clients can silently result in no allowed access, php-fpm conf files loading order, access.log don't use prefix, fpm_unix_init_main ignores log_level, listen=9000 listens to ipv6 localhost instead of all addresses, access.format=' R' doesn't log ipv6 address, PHP-FPM will no longer load all pools, listen.allowed_clients is IPv4 only, php-fpm man page is oudated, Change pm.start_servers default warning to notice, listen.allowed_clients can silently result in no allowed access, php-fpm conf files loading order, access.log don't use prefix, build error with gmp 4.1, build error with gmp 4.1, PDO_PGSQL::beginTransaction(, Matteo, PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving, Matteo, PDO_PGSQL::beginTransaction(, Matteo, PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving, Matteo, Session custom storage callable
5.6.314 Nov 2014 07:25 minor bugfix: Implemented 64-bit format codes for pack() and unpack(). proc_open on Windows hangs forever, A foreach on an array returned from a function not doing copy-on-write, Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3, DOMNodeList elements should be accessible through array notation, AddressSanitizer reports a heap buffer overflow in php_getopt(, a- foo .= 'test'; can leave a- foo undefined, parse_url(, zend_mm_heap corrupted after memory overflow in zend_hash_copy, libmagic: don't assume char is signed, buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer, fileinfo: out-of-bounds read in elf note headers, PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass, listen and listen.allowed_clients should take IPv6 addresses, imagescale, imagescale, and gmp_random_bits(, GMP memory management conflicts with other libraries using GMP, linker error on some OS X machines with fixed width decimal support, ODBC not correctly reading DATE column when preceded by a VARCHAR column, Allow to use system cipher list instead of hardcoded value, PDO::pgsqlGetNotify doesn't support NOTIFY payloads, Segmentation fault on statement deallocation, Duplicate entry in Reflection for class alias, Regression in RecursiveRegexIterator,
5.6.217 Oct 2014 04:00 security: Integer overflow in unserialize, NULL byte injection - cURL lib, Heap corruption in exif_thumbnail, Global buffer overflow in mkgmtime
5.6.106 Oct 2014 03:40 minor bugfix: Fixes for parse_ini_file, SIGSEGV during zend_shutdown, Crash on SIGTERM in apache process, program_prefix not honoured in man pages, Segfault when extending interface method with variadic, Incorrect last used array index copied to new array after unset, New Posthandler Potential Illegal efree, SIGSEGV during zend_shutdown, Crash on SIGTERM in apache process, program_prefix not honoured in man pages, Segfault when extending interface method with variadic, Incorrect last used array index copied to new array after unset, New Posthandler Potential Illegal efree, finfo::file, finfo::file, Using GMP objects with overloaded operators can cause memory exhaustion, gmp_init, and gmp_export, Using GMP objects with overloaded operators can cause memory exhaustion, gmp_init, and gmp_export, mysqli does not handle 4-byte floats correctly, mysqli does not handle 4-byte floats correctly, extension won't build if openssl compiled without SSLv3, extension won't build if openssl compiled without SSLv3, compile error without ZEND_SIGNALS, compile error without ZEND_SIGNALS, SoapClient prepends 0-byte to cookie names, SoapClient prepends 0-byte to cookie names, SessionHandler Invalid memory read create_sid, SessionHandler Invalid memory read create_sid, Add optional nowait argument to sem_acquire, Add optional nowait argument to sem_acquire
5.6.028 Aug 2014 12:25 minor bugfix: This version introduces constant scalar expressions, variadic functions, and argument unpacking syntax, an exponentiation operator, function and constant importing with the use keyword, phpdbg as an interactive integrated debugger SAPI. It also adds php://input attribute changes as well as POST data parsing mechanism, and GMP objects now support operator overloading. Files larger than 2 gigabytes in size are now accepted. It constraints some language behaviour in that array keys won't be overwritten when defining an array as a property of a class via an array literal. json_decode() is more strict in JSON syntax parsing. Stream wrappers now verify peer certificates and host names by default when using SSL/TLS. GMP resources are now objects instead of resources. Mcrypt functions now require valid keys and IVs.
5.5.1624 Aug 2014 14:35 minor bugfix: COM: Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas). Fileinfo: Fixed bug #67705 (extensive backtracking in rule regular expression). CVE-2014-3538) (Remi) Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi) FPM: Fixed bug #67635 (php links to systemd libraries without using pkg-config). pacho@gentoo.org, Remi) GD: Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). CVE-2014-2497) (Remi) Fixed bug #67730 (Null byte injection possible with imagexxx functions). CVE-2014-5120) (Ryan Mauger) Milter: Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) OpenSSL: Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas). readline: Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt). (Bob, Johannes) Fixed bug #67496 (Save command history when exiting interactive shell with control-c). (Dmitry Saprykin, Johannes) Sessions: Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas). Core: Fixed bug #67693 (incorrect push to the empty array) (Tjerk) Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597) (Remi) ODBC: Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields). (Keyur)
5.5.1524 Jul 2014 16:27 minor bugfix: Missing HTTP response codes for the CLI webserver were added, fixed for the header() function, and the http:// stream wrapper now honors 308 as well. Fixes were applied to the autoloader logic, syslog setting, a typo in pgsql, redirect loops with nginx and FPM, and some Phar and SPL features. Crashes fixed for eval() with syntax errors, strstr() with empty array,
5.6.0RC204 Jul 2014 20:59 minor bugfix: Fixed memory leak with immediately dereferenced array in class constant, Segfault in highlight_file()/highlight_string(), make install fails to install libphp5.so on FreeBSD 10.0, Type Confusion Information Leak Vulnerability, syslog cannot be set in pool configuration. Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities. Fixed Locale::parseLocale Double Free, Buffer overflow in locale_get_display_name and uloc_getDisplayName, pgsql. Fixed debugger: readline feature not enabled when build with libedit, List behavior is inconsistent, The prompt should always ensure it is on a newline, break if does not seem to work, register function has the same behavior as run, No way to list the current stack/frames. And a SPL fix: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion.
5.5.1428 Jun 2014 04:23 security: The PHP Development Team announces the immediate availability of PHP 5.5.14. This release fixes several bugs against PHP 5.5.13. Also, this release fixes a total of 8 CVEs, half of them concerning the FileInfo extension. Please note that this release also fixes a backward compatibility issue that has been detected in the PHP 5.5.13 release. Still, the fix in PHP 5.5.14 may break some very rare situations. As this tiny compatibility break involves security, and as security is our primary concern, we had to fix it. This concerns bug 67072.
5.5.1327 Jun 2014 04:29 minor bugfix: Missing MIME types for XML/XSL files added, Echoing unserialized "SplFileObject" crash fixeed, usage of memcpy() with overlapping src and dst in zend_exceptions.c, spl_fixedarray_resize integer overflow, printf out-of-bounds read, DateTime constructor crash with invalid data, date_parse_from_format out-of-bounds read, timelib_meridian_with_check out-of-bounds read, DOMDocumentType->internalSubset returned entire DOCTYPE tag, not only the subset, Fileinfo crashed with powerpoint files, CDF infinite loop in nelements DoS. Numerous file_printf calls resulting in performance degradation, php-fpm reload leaks epoll_create() file descriptor, imageaffinematrixget missing check of parameters, Ungreedy and min/max quantifier bug. And $phar->buildFromDirectory couldn't compress file with an accent in its name.