Most notably, in 5.4.0 (in 2012!) they removed register_globals and magic_quotes. (Which had both been deprecated and off-by-default for a while before, I believe.)
The former was notoriously insecure, as what it did was promote anything passed in as a cookie, GET, or POST variable into a global-scoped variable inside your script. Since PHP didn't require any sort of declaring-your-variables-before-using-them, it was pretty easy to wind up with scripts written in a way that would allow this an unwise amount of access to the script's internals.
The latter automatically escaped special characters with backslashes in all the aforementioned user-provided variables so you could pass them straight into mysql queries. It was, however, optional and so caused errors because code got written relying on it and then ran on servers with it disabled, allowing SQL injection attacks... or double-escaping things in code written the other way around.
The former was notoriously insecure, as what it did was promote anything passed in as a cookie, GET, or POST variable into a global-scoped variable inside your script. Since PHP didn't require any sort of declaring-your-variables-before-using-them, it was pretty easy to wind up with scripts written in a way that would allow this an unwise amount of access to the script's internals.
The latter automatically escaped special characters with backslashes in all the aforementioned user-provided variables so you could pass them straight into mysql queries. It was, however, optional and so caused errors because code got written relying on it and then ran on servers with it disabled, allowing SQL injection attacks... or double-escaping things in code written the other way around.
But these days are long behind us!