I went to upgrade our PHP install today, but found that:
Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where
magic_quotes_gpcis enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.
This is one of those cases of "you write a test for anything that has ever gone wrong." If the PHP guys have any clue at all, they will have written many tests of all the possible ways that
magic_quotes_gpc can get set incorrectly, before fixing a single line of source code.
(For those unfamiliar with this peculiar misfeature of PHP,
magic_quotes_gpc lets you automagically instantiate global variables based on GET and POST variables, which allows bad guys to muck with your code by passing in parameters that they know will mess with your code when turned into globals.)