[FQuest Announce] PHP5 Availability

**Terra** · 12-25-2006, 03:46 PM

As part of the holiday release FutureQuest is pleased to announce the following new addition: PHP5 [5.2.0]

Scheduled Deployment date: January 6th, 2007

It has been a long wait, and getting PHP5 ready for production has been a long hard road as offering both PHP4 and PHP5 on the same server was a very tricky prospect... I believe it is now stable enough for a production environment however moving from PHP4 to PHP5 won't be a forced upgrade until PHP5 has proven itself in 2007...

PHP5 will mirror the same feature set as PHP4 to help ease migration, however PHP5 will offer stronger XML abilities that PHP4 could not...

PHP5 has also been incorporated with our exclusive PHP Secure_Mode™ feature and will operate just as it did with the PHP4 series...

If your site uses SSL, both the Regular and SSL Apache services will be upgraded...

To request PHP5 please send an email, with the domain name, to our Service Desk and we will add you to the upgrade task list...

--
FutureQuest Team
http://www.FutureQuest.net

**Terra** · 12-26-2006, 07:58 PM

One item that I forgot to mention about the PHP5 release, is that register_globals will now default to off for security reasons... 95% of all PHP script exploits are due to this, and PHP5 will mark this transition...

Due to the massive headaches that register_globals has caused site owners (and us cleaning up the mess), we encourage you to not turn this on and to upgrade any script that requires it to be on... PHP6 will be removing the 'register_globals', 'magic_quotes_gpc', and 'magic_quotes_runtime' flags altogether...

Before requesting the PHP5 update, please test your existing site by adding the following to the .htaccess in your 'www' directory or in the subdirectory of where the script resides:
php_flag register_globals off

Keep an eye on your PHP error log in: xdom/logs_cgi/php_error
as well as your regular 'logs_web/error' log

--
Terra
sysAdmin
FutureQuest

*MikeSD* · 12-26-2006, 10:12 PM

Will this in any way affect those of us that are running software, that we have paid for, that uses the previous version? Will the old version of MySQL still be available, if there are problems, with existing software?

**Terra** · 12-26-2006, 10:21 PM

PHP5 is not a forced upgrade, but rather offered by 'Request' only...

So no, the offering of PHP5 won't affect you at this time, until we decide to deprecate PHP4...

Both versions of PHP and MySQL will be running concurrently for awhile, and I'd like to see the older versions phased out within 6 to 12 months...

--
Terra
sysAdmin
FutureQuest

*Pegasus* · 12-26-2006, 11:34 PM

Quote:

Originally Posted by Terra

Before requesting the PHP5 update, please test your existing site by adding the following to the .htaccess in your 'www' directory or in the subdirectory of where the script resides:
php_flag register_globals off

Thanks for the tip! When I checked my site with register_globals off, I found that $SCRIPT_NAME no longer provided the name of my current file (it was essentially an empty string).

In case others run into this, here's my solution: instead of $SCRIPT_NAME use $_SERVER["SCRIPT_NAME"]

Cathy

**Terra** · 12-27-2006, 06:51 AM

Quote:

In case others run into this, here's my solution: instead of $SCRIPT_NAME use $_SERVER["SCRIPT_NAME"]

Please remember to not stop there, you must sanitize and validate the user supplied variable, otherwise it won't accomplish anything and the variable can still be malicious in nature...

register_globals being turned off by default by the PHP developers was done to make software authors think about what they are doing and to sanitize all passed outside variable data...

MUCH more so if the variables are being passed to functions like 'include', 'require', 'fopen', etc, because the supplied user data can be in the form of a URL "http://www.example.org/blah/evil_file.txt" which is really a backdoor script that can give them command line access to your account...

Sanitize sanitize sanitize all user input
Validate validate validate all sanitized input
repeat the above many times...

--
Terra
sysAdmin
FutureQuest

Dr Mirth · 01-07-2007, 10:42 AM

I assume this upgrade didn't go ahead as planned then?

As I requested both the PHP 5 & MySQL 5 upgrades for my MQS, but it doesn't appear to have been upgraded to these versions as yet.

**Terra** · 01-07-2007, 12:30 PM

No, we haven't scheduled any of the PHP5/MySQL5 upgrades yet, however the MQS systems will be the first to receive the upgrade...

I'm watching to see how the new Apache/PHP4 upgrade is going before pushing the more advanced items out...

--
Terra
sysAdmin
FutureQuest

Roberto · 01-10-2007, 10:16 AM

Hello, glad to know that PHP5 is on FutureQuest.

I would like to know if the option "allow_url_include" will be On or Off in php.ini

Also: is it possible to see a phpinfo() of the new PHP5 before asking to migrate?

Thank you and best regards
Roberto
http://www.capriweb.com on FQ

**Terra** · 01-14-2007, 10:18 PM

Quote:

I would like to know if the option "allow_url_include" will be On or Off in php.ini

Yes, it has been enabled due to the number of scripts that (unfortunately) rely on it...

Quote:

Also: is it possible to see a phpinfo() of the new PHP5 before asking to migrate?

Yes, I just upgraded QuestStats to PHP5 today...

http://www.queststats.net/phpinfo.php

--
Terra
sysAdmin
FutureQuest