Professional Web Applications Themes

[PHP] Old version of PHP - PHP Development

Fellas, >can't see how this should be an issue. It is a security issue. Most ISP's don't allow register_globals to be turned on. Read the php docs about register_globals. Zeev and company explain it better than I can. [url]http://www.php.net/register_globals[/url] It leads to cookie poisoning, header forging, XSS, extremely tough debugging sessions, and all sorts of other nastiness. To quote my (un)orthodox buddy "Never mix da meat with da milk!" They have warned against using this feature for several years, long (WAY long) before they turned it off by default. When I read the manual in the year 2001, I fixed ...

  1. #1

    Default Re: [PHP] Old version of PHP

    Fellas,
    >can't see how this should be an issue.
    It is a security issue. Most ISP's don't allow register_globals to be turned
    on. Read the php docs about register_globals. Zeev and company explain it
    better than I can.
    [url]http://www.php.net/register_globals[/url]

    It leads to cookie poisoning, header forging, XSS, extremely tough debugging
    sessions, and all sorts of other nastiness. To quote my (un)orthodox buddy
    "Never mix da meat with da milk!"

    They have warned against using this feature for several years, long (WAY
    long) before they turned it off by default. When I read the manual in the
    year 2001, I fixed my code, stopped using it and turned it off on all of my
    servers immediately. I strongly advise against using applications which rely
    on insecure features.

    If you really want to solve the register_globals issue, pressure Francisco
    Burzi (phpNuke) and other open source project leaders to start writing
    better code and stop relying on insecure features that ISPs don't support.
    This is the real source of the problem. It is not difficult for them to fix
    their code.

    It should have been done a long time ago. The collective aggravation these
    people cause newbies and ISP's is absolutely staggering. If I had my
    druthers, RG would be removed from PHP altogether. It is a dangerous relic
    of times gone by, before such issues were known. I believe in tough love: )
    > as a programmer, i hate it how some hosts refuse to keep on top of the
    > upgrades...
    They usually don't have time and only patch for major upgrades and major
    security problems. If you know anyone at an ISP they will tell you what a
    monumental task it is just to keep all of the servers secure, keeping them
    on the bleeding edge usually isn't an option, and is way dangerous. You have
    to consider that by upgrading all the time, in addition to it being nearly
    impossible, they are risking breaking other customer's applications every
    single time they upgrade anything. If the upgrade is new, any issues
    introduced may take weeks to iron out. If your client is down for weeks, at
    an ISP, they are gone. If it isn't necessary, and the libraries are secure,
    ISP's usually won't upgrade them.
    > it's almost a case of "don't upgrade your LAN until the production
    > server upgrades", but I prefer "convince you host to upgrade, or move
    > host" :)
    This is good policy, however, you should have 2 development environments,
    bleeding edge, where you build new stuff and keep your knowledge up with
    features, and a copy of production. This way you can code for the latest,
    find the broken stuff and re-implement for the old version. Usually,
    depending on just how old production is, there isn't too much that breaks.

    If you are writing and using classes, as much as possible I hope, when
    production can take advantage of your latest code, in a year or so, you can
    simply update the objects. Just keep a consistent interface and you will be
    fine.
    > > are now handled by default, the perception being that newer versions
    > > of PHP
    > > are incompatible with older code.
    This perception can be a reality. Curl is a prime example of this. Build a
    bleeding edge box and try to get curl to work with open ssl. The upgrade to
    4.3.2 and the latest openssl broke this. I know, I was bit by it. I had to
    re-write the curl stuff in Perl::LWP after hammering on curl for a week. The
    openssl issue was a security one. I will be using Perl for this stuff until
    OpenSSL/Curl/PHP get on the same page. I sure am glad I know perl: )

    If you really want to stay bleeding edge, you should consider co-location.
    This is where you put your own box in the ISP and maintain and secure it
    yourself. Then, however, you are on your own with security, not a good place
    to be. If you neglect it, you get r00ted.

    I run my own boxes(I am a programmer, not an admin). I only have 8, and it
    is nearly impossible for me to keep up with only 8 sometimes! I spend a
    buttload of time on security lists, more than I program.

    I can't imagine running an ISP with 500+ boxes. Every time I patch a box I
    run a full scan on it, and check stuff for buffer overflows and regression
    test my applications. This alone is sometimes 2 days work, sometimes it
    takes a week if an issue is introduced. See
    [url]http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=77467[/url]. This security
    upgrade broke mysql and would have caused our apps to go down, had I not
    caught it.

    If we were at an ISP who stayed bleeding edge and blindly upgraded, we would
    have been shut down by that upgrade for several days. Undoubtedly, we would
    have fired our ISP (this is one reason we control our boxes, we lose
    hundreds of thousands of dollars in revenue for every day we are down). This
    was a critical security upgrade. As soon as I found out about it I upgraded
    DEV and started testing. If we just went bleeding edge all the time, for the
    sake of being bleeding edge, nothing would ever work right.

    Hope this gives you some realistic perspective on why your ISP seems
    stubborn about upgrading and changing settings. Cut them some slack! It is
    for your own good (and the good of others). Though painful, it is an
    unfortunate fact of life. Switching ISP's generally will get you the latest
    version, for the moment... That honeymoon doesn't last very long. The first
    time you pressure them into an upgrade that breaks 20 other customers, they
    will be wiser and you won't get much help from them anymore. Most likely,
    your current ISP has been here.

    thx,
    Neil
    "behaviour is caused, and the causes are many"
    ----- Original Message -----
    From: "Justin French" <justinindent.com.au>
    To: "Dan Phiffer" <danphiffer.com>
    Cc: <php-generallists.php.net>
    Sent: Thursday, August 07, 2003 9:43 PM
    Subject: Re: [PHP] Old version of PHP

    > On Friday, August 8, 2003, at 09:21 AM, Dan Phiffer wrote:
    >
    > > I'm working on an ongoing project that depends on a shared webserver
    > > running
    > > an old version of PHP (4.1.2 I believe). Is there any good reason to
    > > stick
    > > with an older version of PHP, or might it be a valid suggestion to
    > > have it
    > > upgraded to something a bit more recent? I have a notion that upgrade
    > > attempts may have been snubbed out by the way things like
    > > register_globals
    > > are now handled by default, the perception being that newer versions
    > > of PHP
    > > are incompatible with older code.
    >
    > the register globals "event" happened on 4.1 (from memory), so any
    > install over that should be straight forward. in any case, it's just
    > one simple directive that needs to be changed in the php.ini file...
    > can't see how this should be an issue.
    >
    > i think the best reason to keep up-to-date on the versions is that each
    > new release is "better, more stable, etc etc"... i haven't ever heard
    > anyone on this list say "i prefer 4.2.3 over 4.2.4" :)
    >
    > as a programmer, i hate it how some hosts refuse to keep on top of the
    > upgrades... really useful functions in newer versions aren't available.
    >
    >
    > > Mainly I'm concerned that code I test on our in-house server running
    > > version-current PHP will depend on function calls and language
    > > constructs
    > > that the production server's vintage PHP interpreter lacks.
    >
    > exactly... there isn't a HUGE number of differences between the current
    > release and what they've got on the live server, but there are
    > exceptions... i was making good use of file_get_contents() on my LAN,
    > but had to write a user-function to te it when running on the
    > live server which is stuck at 4.2.3 for the moment.
    >
    > it's almost a case of "don't upgrade your LAN until the production
    > server upgrades", but I prefer "convince you host to upgrade, or move
    > host" :)
    >
    >
    > Justin
    >
    >
    > --
    > PHP General Mailing List (http://www.php.net/)
    > To unsubscribe, visit: http://www.php.net/unsub.php
    >
    Neil Davis Guest

  2. #2

    Default Re: [PHP] Old version of PHP

    On Friday, August 8, 2003, at 10:28 AM, Neil Davis wrote:
    > Fellas,
    >> can't see how this should be an issue.
    > It is a security issue. Most ISP's don't allow register_globals to be
    > turned
    > on. Read the php docs about register_globals. Zeev and company explain
    > it
    > better than I can.
    > [url]http://www.php.net/register_globals[/url]
    Please re-read what I wrote in context. I'm fully aware of the whole
    register_globals situation. Have read (and wrote) heaps on the topic.

    The OP was talking about RG issues when upgrading versions... In
    regards to upgrading, the fact that register_globals defaults to off,
    not on in newer versions should not be a deterent to upgrading, because
    the value can simply be edited in the php.ini file, changed via a
    htaccess file, etc etc.

    I was not AT ALL suggesting that turning on register_globals was a good
    idea... I was suggesting that the setting could be easily switched to
    match the value on other servers (on or off as required).

    Me? I code strictly for RG off, and have done so for ages, and force
    RG to be off regardless of my ISP's settings via a htaccess file.


    Cheers,

    Justin

    Justin French Guest

  3. #3

    Default Re: [PHP] Old version of PHP

    On Friday 08 August 2003 09:43, Justin French wrote:
    > i think the best reason to keep up-to-date on the versions is that each
    > new release is "better, more stable, etc etc"... i haven't ever heard
    > anyone on this list say "i prefer 4.2.3 over 4.2.4" :)
    But each new release brings new problems and a whole raft of new bugs.
    > as a programmer, i hate it how some hosts refuse to keep on top of the
    > upgrades... really useful functions in newer versions aren't available.
    Sometimes it is prudent to 'wait' for a stable version to emerge. AFAICR 4.06
    was relatively stable (bug free), it was followed by a couple of buggies
    4.10, 4.11 and then another relatively stable release 4.12 etc.

    And as for the latest and greatest, 4.3.2, it has a nasty bug with
    imagecopyresampled() when using the built-in gd library which makes it
    useless if you need that function.

    So, if the host is being sensible and not just plain lazy then you should
    commend them for keeping your site running and not reprimand them for not
    upgrading willy-nilly.

    --
    Jason Wong -> Gremlins Associates -> [url]www.gremlins.biz[/url]
    Open Source Software Systems Integrators
    * Web Design & Hosting * Internet & Intranet Applications Development *
    ------------------------------------------
    Search the list archives before you post
    [url]http://marc.theaimsgroup.com/?l=php-general[/url]
    ------------------------------------------
    /*
    A national debt, if it is not excessive, will be to us a national blessing.
    -- Alexander Hamilton
    */

    Jason Wong Guest

  4. #4

    Default Re: [PHP] Old version of PHP

    On Saturday 09 August 2003 00:54, Dan Phiffer wrote:
    > Thanks for all the feedback, guys. Is there an errata page somewhere that
    > lists known bugs in the PHP interpretter?
    google > php bugs

    --
    Jason Wong -> Gremlins Associates -> [url]www.gremlins.biz[/url]
    Open Source Software Systems Integrators
    * Web Design & Hosting * Internet & Intranet Applications Development *
    ------------------------------------------
    Search the list archives before you post
    [url]http://marc.theaimsgroup.com/?l=php-general[/url]
    ------------------------------------------
    /*
    The difference between waltzes and disco is mostly one of volume.
    -- T.K.
    */

    Jason Wong Guest

  5. #5

    Default Re: [PHP] Old version of PHP

    I appreciate the (rather indirect) pointer to the PHP bug tracking site - I
    didn't know about that. Errata, it seems to me anyway, perform a different
    purpose. I don't mind RTFM-style responses, but please at least read my
    question more closely.

    I find the "reporting bugs" link on the PHP website a bit misleading since
    that page serves more purposes than simply reporting bugs.

    Okay enough of my ing,
    -Dan


    ----- Original Message -----
    From: "Jason Wong" <php-generalgremlins.biz>
    Newsgroups: php.general
    To: <php-generallists.php.net>
    Sent: Friday, August 08, 2003 10:21 AM
    Subject: Re: [PHP] Old version of PHP

    > On Saturday 09 August 2003 00:54, Dan Phiffer wrote:
    > > Thanks for all the feedback, guys. Is there an errata page somewhere
    that
    > > lists known bugs in the PHP interpretter?
    >
    > google > php bugs
    >
    > --
    > Jason Wong -> Gremlins Associates -> www.gremlins.biz
    > Open Source Software Systems Integrators
    > * Web Design & Hosting * Internet & Intranet Applications Development *
    > ------------------------------------------
    > Search the list archives before you post
    > http://marc.theaimsgroup.com/?l=php-general
    > ------------------------------------------
    > /*
    > The difference between waltzes and disco is mostly one of volume.
    > -- T.K.
    > */
    >
    Dan Phiffer Guest

  6. #6

    Default Re: [PHP] Old version of PHP

    On Saturday 09 August 2003 01:46, Dan Phiffer wrote:
    > I appreciate the (rather indirect) pointer to the PHP bug tracking site - I
    > didn't know about that. Errata, it seems to me anyway, perform a different
    > purpose. I don't mind RTFM-style responses, but please at least read my
    > question more closely.
    Sometimes I find it difficult to read minds -- especially on a Friday.
    bugs.php.net gives the definitive status of any known bugs so you can see
    what bugs are outstanding in any given version of php. Actually it'll give
    you everything you wanted to know about bugs in php but was afraid to ask.

    Whereas changelog, history, release notes will summarise what bugs were fixed
    between versions. None of these resources are called errata although some
    linux distros may present these as erratum (plural?).

    --
    Jason Wong -> Gremlins Associates -> [url]www.gremlins.biz[/url]
    Open Source Software Systems Integrators
    * Web Design & Hosting * Internet & Intranet Applications Development *
    ------------------------------------------
    Search the list archives before you post
    [url]http://marc.theaimsgroup.com/?l=php-general[/url]
    ------------------------------------------
    /*
    When the revolution comes, count your change.
    */

    Jason Wong Guest

  7. #7

    Default Re: [PHP] Old version of PHP

    * Thus wrote Ford, Mike [LSS] (M.Fordlmu.ac.uk):
    > (There are also words in English derived from Greek which have singular ending -on and plural ending -a -- notably criterion/criteria. Microsoft doesn't understand this, and gets it tooth-jarringly wrong all over Excel and its help files.)
    tooth-jarringly.... :)


    Curt
    --
    "I used to think I was indecisive, but now I'm not so sure."
    Curt Zirzow Guest

Similar Threads

  1. Replies: 0
    Last Post: October 12th, 01:41 AM
  2. Replies: 0
    Last Post: October 12th, 01:14 AM
  3. Replies: 2
    Last Post: October 2nd, 02:35 PM
  4. Replies: 2
    Last Post: October 2nd, 12:17 PM
  5. Replies: 0
    Last Post: September 22nd, 05:27 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139