In response to yesterday's tip of the day on PHP security, a number of readers wrote in to point to the minutes of a PHP developer meeting, discussing upcoming changes in PHP 6. Now PHP 6 may seem far away. But you can't start early enough to think about how to make sure project work well with it.

From a first read, I am not quite happy with the security related changes. But the document is brief and may not explain all the details. So here a few of the security related highlights.

• Dealing with Unicode. Not directly security related. But this could affect some validation functions. Overall there appears to be a global switch covering how to deal with unicode.
  
• register_globals is going to go away (Finally ;-) ). This option, which "way back" used to be the default, has been one of the big problems in the past.
• magic_quotes is going to go away. Not sure if I like this. 'magic_quotes' has been an issue for developers who had no control over the php configuration (e.g. shared hosting) and had to cover both cases (quotes on/off). But it has been a valuable safety net for others.
• safe_mode feature is going to be removed. Another questionable choice IMHO. The feature had problems in the past, but then again, I would rather see them fixed then have them go away.
• the SOAP extension will support more security options. But it will also be turned on by default.
• the "Hardened PHP patch" will be included (at least pieces of it. Nice!).
• looks like there will be no 'taint' mode, but there may be 'sandboxing'. The notes are a bit brief on this.
• No more '<%'. This could be an issue if your PHP code is using '<%' and will now no longer be parsed, but instead the source code will be visible.

So thats the quick summary of the (already quite brief) document. For a more detailed discussion you will likely have to check the PHP developer mailing lists. I am not that familiar with PHP politics, so I am not sure how flexible these changes are. There are PHP 6.0 development snapshots available at this point. But at least to me, PHP 5 is still quite new ;-). PHP has had a good history of supporting older versions, so there is no reason to panic quite yet.

For the full document, see Minutes PHP Devlopers Meeting.