phpPeanuts release notes

Release notes

Version 2.2.0 open source edition

This version does not include the examples. It is meant to run on PHP5 only. If you retieved this page from a http server that supports PHP, Click here to try it out.

This version does not include pntUnit and the unit tests.

What's new

Since 2.1.0

Security improvements:

Synchronizer Token Pattern for referrer tokens in all urls
ActionTickets now use hashed random tokens with timeout
Only uses parameterized queries (may be emulated)
Parameterized query emulation for old MySql driver
PntValidationException thrown on invalid request data that should never be produced by applications

Other improvements:

Scouting data and Tokens now support the usage of serveral phpPeanuts root folders (baseUrls) on the same (virtual) server
tested with PHP 5.4.8
many small changes, see changes.txt .

Remarks for upgrading existing applications

See the release notes of the upgrade release you can download from the phpPeanuts website.

Known bugs and limitations

Applications are only protected against cross frame scripting in browsers that support the X-Frame-Options header.
The Synchronizer Token Pattern by referrerer tokens is not as strong as by request tokens. (currently most frameworks only implement this pattern for actions (called tickets with peanuts)).
With older versions of PHP and/or MySQL the character set can not be set on the connection in such a way that the quoting functions of MySQL take the character set into account (This is a limitation of PHP and MySql). This may be a problem with UTF-8 and it may have security implications, possibly including SQL injection vurnerabilities. To avoid this requires:
- MySQL >= 5.0.7 or if you're using MySQL 4, then >= 4.1.13.
- PntMySqlDao: PHP 5.0.7 or later
- PntPdoDao: PHP 5.3.6 or later
- PntMySqliDao (not included in the open source version): PHP 5.0.5 or later. Emulated parameterized queries like used by PDO and PntMySqlDao will not protect you from this! (You may configure PDO to use native parameterization)
Though the framework has DAO classes that are successfully used as the database abstraction layer with MySQL and SqLite, the use with other databases may require some additional refactoring. Please inform us about eventual problems and solutions with the use of other databases. (Known: Oracle versions below 9 do not support standard explicit JOIN syntax, but producing JOIN instuctions is not delegated to DAO objects and can not be easily refactored to do so.)
The AGPL license requires you to make the source of applications using this version of phpPeanuts available to any users outside your own organization, and allow them forward it to the rest of the world. An extended commercial edition is available on request under developers licenses that do not include obligations to publish derived works etc. For more info see the Support menu of the phpPeanuts website.