I went to upgrade our PHP install today, but found that:
> [PHP 5.2.7 has been removed from distribution](http://www.php.net/archive/2008.php#id2008-12-07-1)
> Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where `magic_quotes_gpc` is enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.
This is one of those cases of “you write a test for anything that has ever gone wrong.” If the PHP guys have any clue at all, they will have written many tests of all the possible ways that `magic_quotes_gpc` can get set incorrectly, *before* fixing a single line of source code.
(For those unfamiliar with this peculiar misfeature of PHP, `magic_quotes_gpc` lets you automagically instantiate global variables based on GET and POST variables, which allows bad guys to muck with your code by passing in parameters that they know will mess with your code when turned into globals.)