As PHP 5.6, Still Used By a Large Number of Websites, Approaches Its End of Life Deadline, Some Worry About the Consequences (linkedin.com) 151
An anonymous reader writes: I know PHP isn't to some devs liking, but chances are you know people who work with PHP or have sites that are built with it. PHP 5.6 and 7.0 are shortly coming to the end of the support period for security patches, so what plans have you made to migrate code and sites to newer platforms? With apparently huge numbers (80%) of sites still running PHP 5.6, there appears to be little industry acknowledgement of the issue. Is there a ticking PHP Time Bomb waiting to go off?
PHPBuilder.com lamentation time? (Score:1)
Wow, PHP 5.6 has been around for how long?
Re: (Score:1)
I would expect a simple update guide with breaking changes and simple resolutions.
If that isn't available, I'd say no php development allowed anywhere. Software has to be developed knowing that it is insecure, and will need updates. A language/framework developer doubly so.
And expecting people to spend time reworking their code because you fucked up is ignorant at best. If your code is so insecure that you need a breaking change, make it an easy upgrade. Or else just deprecate it and suck it up.
Migrating to PHP 7: Backward incompatible changes (Score:5, Informative)
I would expect a simple update guide with breaking changes and simple resolutions.
Expected it, got it. Google Search for php 7.0 breaking changes returned this section of the official migration guide [php.net] as the first result.
Re: (Score:2)
If there are breaking changes it's a good reason to consider some other solution. The problem is that some PHP code isn't easy to fix even if you get the info about what's a breaking change because the PHP code is not always even human-readable except for the person that did write it - and that person has moved on.
Re: (Score:2)
If there are breaking changes it's a good reason to consider some other solution. The problem is that some PHP code isn't easy to fix even if you get the info about what's a breaking change because the PHP code is not always even human-readable except for the person that did write it - and that person has moved on.
Code people wrote for PHP 5.6 should work with PHP 7.1 with very few changes, however tons of things in the backend changed meaning extensions must be rewritten. There are 3 or 4 extensions I have which haven't even been upgraded to PHP 7.0 yet.
Re: (Score:2)
If people thought the way you do, they never would have begun the project in PHP in the first place. But they did.
It's like you said "Everyone who understands English, please leave the room," and a bunch of people walk out. A bunch of people remain, staring at you, confusion on their faces.
And what do you do? You begin a speech in English. Notice how the confused looks aren't going away?
Re: (Score:2)
Cobol is declining too.
However, once the code works, then it is probably a good idea not to piss with it. New "Features" are mostly just bugs anyway.
Re: (Score:2)
I really hope this list is not news to any PHP developer. PHP 7 was released Dec 2015.
Re: (Score:1)
Re: (Score:2)
As long as they keep running servers that run the php version I bet most will never notice.
I had a client who was using php 5.3 on ubuntu 12.04 until he shut his site down last month. The site wasn't making enough money for him to warrant updating the site (even though for 2 years I kept pestering him about it). The original developer had used php functions that no longer worked in 5.6, and it would have been a major rewrite to get it working again.
Re: (Score:2)
3 years is not very long in the scale of things.
OK, but if the first time a developer bothers to look at the changelog for the current stable version is when the old version they're using is about to go end-of-life, they might not have their priorities in order. They definitely don't have a reason to whine if the rest of the world has moved on without them.
Some of the PHP code which drives my web sites was written in 2007, and they are still working fine.
Which version of PHP are you running?
those Neanderthal women are really hot!
Yeah, well, I was into Neanderthals before they were popular, but I kind of lost interest. I'm more into Denisovans now, but you probably haven't heard of them.
Re: PHPBuilder.com lamentation time? (Score:3)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Your website (www.aisnota.com) is down. Did you have problems upgrading to PHP 7.2??
Re: (Score:1)
Still not as bad as PHP. Going up from Java 6 to latest Java is a walk in the park compared to PHP.
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
I really havn't heard of any good replacements to PHP? All the popular languages seems to want you to code your WebServer in its language vs. Using a tried and true one.
Python CGI and WSGI (Score:2)
Last I checked, Python still supported any web server that could speak CGI or WSGI. Apache can speak both.
Re: (Score:2)
Well any language will speak CGI, Back in college I did a FORTRAN 77 Web App to prove that.
PHP, ASP, JSP were languages designed mostly to embed your HTML with Server Side processing. Because the bulk of the web output is just static HTML code, with a few server-side replacements.
CGI and WSGI are often very heavy handed approaches to Server Side processing, as it normally requires additional forked processes to be executed.
Re: (Score:1)
I don't think many people recall that when PHP became popular it was one of the following choices:
1) PHP
2) Perl & CGI.pm
3) Java servlets plus crappy EJB plus (maybe) CORBA
4) ActiveX/COM/VB
Nowadays we have environments, languages, and frameworks that are much nicer than anything PHP has to offer.
Re: (Score:2, Insightful)
Such as?
PHP is still widely used because it's fast (performing) and fast to develop in, free, well-documented and has a huge framework library and developer base to draw on.
That doesn't make it a good language, but it does make it the one to beat. I have yet to see anything that can do what PHP can do. All the "better" tools are slower, take twice the development time, lack turnkey solutions, or are o
Re: (Score:2)
> PHP was the insane choice
FTFY.
PHP is shit [habnab.it].
The online manual is crap as well. Searching for true [php.net], TRUE [php.net], false [php.net], FALSE [php.net], all return:
*facepalm*
Why do two of shittiest programming languages around, PHP and JavaScript, drive much of the Web?
*double facepalm*
Re: Shoulda thought about that... (Score:1)
Because they're easy to understand and they're (as you pointed out) untyped which makes it easy to pick up.
JavaScript is worse than PHP but not nearly as bad as Java (for which you have to understand the worst paradigm ever invented: OOP) or C (where you need to learn about pointers, references and how your CPU and memory work) when you're learning about programming.
Re: (Score:1)
People blame dynamic typing, but the real culprit is implicit conversions.
Even back when I was learning C in the mid-90s they drove me crazy. They cause more bugs than they are worth. ALL type conversions should be made explicit, even at the cost of a little extra typing.
Re:Shoulda thought about that... (Score:4, Interesting)
> Why would you be comparing differently typed items anyway?
You _never_ make typos in code?
You _never_ compare the wrong types by accident?
Good programming embraces Fail Fast [wikipedia.org]. One of the advantages of static type checking is that you know instantly if what you are doing is nonsense.
PHP and JavaScript are crap because they embrace "Fail Whenever" -- a HORRIBLE practice for scalability, correctness, and robustness.
Re: (Score:2)
... when you opted to use PHP in the first place.
Right... you should have used lovingly hand-crafted C with CGI, because that would have solved all of your security problems. /s
Or spent months hacking through the jargon thicket that is Java server-side programming (OK, maybe not rocket science but massive overkill for simple stuff).
Anyway, before the days of $5/month virtual servers and free Amazon cloud, PHP was probably the only thing that your shared web host offered...
Re: (Score:1)
I imagine it is a lot of various forums for different hobbies people have. If you can think of a hobby, I'm sure someone will have a forum and maybe a wiki as part of it. That's a lot of websites and most of them are likely pretty old but the information is still useful and valid.
Re: (Score:2)
Technically any language flaw and hack is a result of bad securityops.
That doesn't mean they should just let it slide. Because everyone will at some point have a bad day, and miss something. If your security review just forgot to account for a particular method, the built in defaults should be a secondary defense.
Re: (Score:1, Flamebait)
How can you be surprised? I'm sorry, but PHP has been known to have security issues for *decades*. Security was basically non-existent at first and then haphazardly bolted on afterwards.
There was a time when I'd hire people who used PHP by choice, but that time is long gone. These days, if I'm interviewing someone who used PHP at their last gig, I expect to hear either
1) "...but then we rewrote the system in something else"
or
2) "... and that's why I left that place".
Nearly anything else raises doubts about
Re: A scary thing I just found out. (Score:4, Interesting)
That's dumb. Rewriting or porting software introduces bugs and security flaws. Good developers are good in any language. Hire good developers. Any developer who wants to rewrite everything when they come in isn't a good developer.
Re: (Score:2)
Rewriting or porting software introduces bugs and security flaws.
And it can also remove bugs and eliminate security flaws. And in the case of replacing a PHP-based system, odds are very much in favor of a net improvement.
Good developers are good in any language. Hire good developers.
That sorta misses the point and is akin to arguing that knives shouldn't have handles because a good knife wielder can avoid getting cut. PHP is a handleless razor blade with a sharp edge all the way around.
I do try to hire good devs (which is why if I see the huge red flag of PHP on their resume, I'm going to dig into their view on it, and almost certai
Re: A scary thing I just found out. (Score:2)
You say you look for devs who want to rewrite anything they come across in PHP or who come from disfunctional teams they want to leave. You don't allow for the possibility that a PHP developer is talented, works with talented people, and are generally happy writing good code in PHP.
Re: (Score:3)
You don't allow for the possibility that a PHP developer is talented, works with talented people, and are generally happy writing good code in PHP.
Thank you, yes, that's much closer to what I was saying.
When I hire a dev, I'm looking for someone with good judgement. If I come across a candidate that was actively using PHP at their last job, then I am most definitely going to dig in to make sure that that candidate has a good grasp of its flaws and a good explanation for why it continued to be used anyway.
If they can't do a solid job of explaining that, then no, they probably aren't a very good dev.
It's not that I doubt that somewhere, somehow there ex
Re: (Score:1)
You're not going to get through. OP is either a manager with a CS degree and no actual trench years put in or an elitest jerk.... ...either way, definitely not a person I would want to work for.
Not just 5.6 (Score:5, Interesting)
The current RedHat 7 ships PHP5.4 (or lower) by default. Adding 5.6 means adding a non-standard repo and thus tainting your update environment. Can be done but not classy.
Having said that, I run a small ISP with many tiny NGOs as customers. All these sites were developed for PHP5.2 or something by "Bob" who left and nobody has the money or expertise to update the site to PHP5.6 or higher. If I force an upgrade I effectively kill over 300 websites that are pretty much running fine, despite the vulnerabilities puslished. Remember that most of these customers have ever even heard of PHP or what it is supposed to be doing, and they care even less as they are not IT people.
Re: (Score:1)
This is just the mentality of not caring about IT. Organizations want to minimize costs, and the "unseen" parts are the first to go. Emails work, web sites work, so why spend money on it?
That actually works... until it doesn't.
Re: (Score:2)
Well it least it some guy named Bob, and not the Bosses nephew who knows HTML and PHP (unless the bosses nephew is named Bob)
But the problem with development has always been the fact making software is complex, long and expensive. If you are going to try to save money with your development it will become a problem a future, often being much more expensive then the money you saves initially.
I can get you a proof of concept program for nearly any type of requirement under a few weeks, but for heaven sake don
Re:Not just 5.6 (Score:5, Informative)
Just wondering if you or anyone else that blames this sysadmin has ever done tech support for small businesses or non profits. They aren't going to spend 10k redoing their websites that are currently working fine.
I can tell them they should do it all day and night and they will say "thank you for the info, but we have other priorities". So there is only so much a sysadmin can do. Charities do not have money. I assume NGO means charity in some respect. They are not proactive at all and generally know nothing about technology. You can make the director aware of the issue, but thats about it. Unless you want to be fixing it for free.
And yeah no one makes any documentation. That's the real world yo, not some kind of college course textbook fantasy where your knowledge evidently comes from. Charities often get things like web development done for free or extremely cheap. There is no budget to maintain the site and certainly not to hire a web developer for anything more than a small contract.
Re: (Score:1)
'Bob' wasn't the sysadmin, he was the developper who wrote the code for the websites and obviously in a way that makes upgrading to a nwer version hard.
And the sysadmin will have to take all the sites offline once the first one gets owned. And they won't be able to go back up until they are fixed. The 'we have other priorities' can really bite you in the ass, you know? If you can't afford it, don't have a website. Yes, that includes Charities.
As for documentation... I am expected to document things and I do
Re: (Score:1)
Remember that most of these customers have ever even heard of PHP or what it is supposed to be doing, and they care even less as they are not IT people.
We wouldn't accept that excuse from anyone else who handles dangerous tools. A public facing website comes with responsibilities. If they can't or don't want to deal with the security implications of running a PHP website, then they shouldn't be running a PHP website. I specifically recommend static websites (with embedded externally maintained active elements, if necessary) to people whom I do not expect to be able or willing to maintain an active website. You can't have a dog if you won't feed it and clea
Re: (Score:2)
Re: (Score:1)
Almost none of what you said is true. Red Hat provides several newer versions of PHP in the Software Collections repository; it's not a default repo, but it is certain not a "non-standard" repo as Red Hat absolutely provides support and on-going patches for it.
And running a web server on an app with known exploits in the wild means you are not running "fine", you are running only until some hacker or script kiddie notices your website and decides to see how much fun they can have with it.
As far as custome
Re: (Score:3)
Well, software collections can be a pain... A lot of things just aren't that effortless if you have to go that way.
However, even as upstream declares the end, redhat does continue to support the older language, backporting fixes and supporting it beyond what upstream commits to.
This is actually one of the big conundrums for RedHat. In order to have the resources to provide very long term support, they have to be relatively choosy about how much and how frequently they support upstream changes. As a resul
Re: (Score:1)
The code isn't "running fine" if it's a ticking time bomb any more than using a charcoal grill inside of an apartment is "fine" as long as the resident promises not to spill hot coals on the carpet.
Help your NGO customers find some volunteers at a local university if that's what it takes to get them to update their code. But ultimately, it's your space and you're going to have to assert your authority over it for your own good and for the good of everyone who uses that space.
Re: (Score:2)
Everything related to computers is a ticking time bomb. Hell, even Intel, AMD and others have security flaws in their fucking processors. And you expect people who write websites to be security experts?
Re: (Score:2)
Sometimes if they just put up a warning flag, that is enough to keep the resident aware of the issue.
Sometimes code that is considered "just a matter of time" never reaches such time. Because there is so much effort around avoiding it.
Re: (Score:2)
Here is the core of the problem that many organizations don't understand or appreciate-- building a web application is an ongoing process, not a one-time-deal. Of course it doesn't help that PHP is a frustrating language when debugging someone else's code.
Re: (Score:2)
Many of the vulnerabilities that have gone unpatched since 5.2 allow for remote code execution on the servers you're responsible for and perhaps sharing with different customers.
Re: (Score:3)
I hear people say things like that from time to time, but where are the real-world attacks? It seems like it is far more likely for people to get hit by vulnerabilities in PHP applications like Wordpress or Drupal than the language itself.
Re: (Score:2)
That might be so, but the danger remains. It's not a problem until it is.
Re: (Score:2)
I'm just suggesting it is not an actual danger. If there is no way to actually exploit it, and therefore no attacks, then it's not a danger. Conversely, if there was a vulnerability that allowed remote code execution in any web server running PHP 5.2, you can bet your ass it would be actively exploited (for the previous 12 years, no less). The lack of ongoing attacks of that nature would suggest that such a vulnerability does not exist, or at the minimum is not known.
In other words, it sounds like FUD.
Re: (Score:2)
Only because you don't know about them doesn't mean they do not exist. Have a look in here:
https://www.cvedetails.com/pro... [cvedetails.com]
For instance these in 2017 https://www.cvedetails.com/vul... [cvedetails.com]
The vast majority of these are for versions = 5.5, for obvious reasons as they've been EOL'd for years. Unless you're running some version of red hat that still patches their 5.4 installations, you're likely vulnerable to many of these.
Re: (Score:2)
I realize those are out there and known. I'm not talking about things that I don't personally know about, I'm talking about things that no one knows about.
What I am saying is that there is a lack of attacks against PHP itself. Just having PHP installed is not a security threat. Proof of this is the complete lack of attacks against any arbitrary server running the world's most popular server-side language by number of servers, as far as I'm aware. The CVEs I have looked at all require scripts using speci
Re: (Score:2)
If that let's you sleep better at night, sure. Stuff isn't hacked until it is.
Re: (Score:2)
Haha, well PHP CVEs certainly don't impact my sleep schedule. For example, I've never needed to use com_print_typeinfo, and it's not used in the framework that our application uses, and even if it did it probably wouldn't take user-supplied data as an argument, and even if it did our servers do not run Windows. So I don't need to worry about arbitrary code execution using this [nist.gov].
This is what I'm talking about. Yes, that vulnerability exists. But the vulnerability is not "run PHP and you're vulnerable to t
Explain That to Clients... (Score:5, Insightful)
Sure, let me just go back to the hundreds of small businesses we've built websites for over the past 10 years and tell them their sites need to be "simply rebuilt". I promise you that 95% of them will see no problem with leaving their PHP 5.6, 5.4, 5.2, etc... websites alone because "they still work fine". Why would they pay us money to rebuild them?
Maybe, but the site owners know how to use that admin interface, and getting them to that point was like pulling teeth. Now you want to train them on a brand new interface? Good luck.
I'm not saying this guy doesn't have some points, just that he doesn't seem to live in the real world.
Re: (Score:3)
Sure, let me just go back to the hundreds of small businesses we've built websites for over the past 10 years and tell them their sites need to be "simply rebuilt". I promise you that 95% of them will see no problem with leaving their PHP 5.6, 5.4, 5.2, etc... websites alone because "they still work fine". Why would they pay us money to rebuild them?
Maybe, but the site owners know how to use that admin interface, and getting them to that point was like pulling teeth. Now you want to train them on a brand new interface? Good luck.
I'm not saying this guy doesn't have some points, just that he doesn't seem to live in the real world.
We have some clients like that. What can you do? We just explain the risks, and if they want to take them, that's their look out. Some of them are even willing to spring for something like Sucuri firewall as a stopgap rather than upgrade anything.
Eventually the hosting company itself will force a PHP upgrade (and their site may or may not stop working, but it will be unplanned). Or they will get hacked first. Either way, it's on with the game face, try not to say "I told you so" (unless they try to blame i
Re: (Score:2)
Not much more you can do other than that tbh. Explain what they're exposing themselves to, and let them make a choice.
Sites in php 5 are easily migratable to 7.x, obviously the earlier the version the less "easily". The vast majority of 5.6 code should run on 7.x with no issues. They did a pretty good job at avoiding big bc breaks.
Re: (Score:2)
Well you should had insisted on some sort of support contract. Software is never done, and if they didn't pay for support, and the prereqs become volnerable. Then it is up to the customer who cheeped out.
Re: (Score:1)
Software is never done...
If something's never done, how do you expect to get paid? That's the whole point. Most websites that are not SaaS plugs are produced as works for hire. When they are complete you get paid. Sure, you can talk about ongoing support and maintenance after that, but you're generally free and licensed to walk off with it at that point, which many do. How software works in the real world.
Re: (Score:2)
I'm not saying this guy doesn't have some points, just that he doesn't seem to live in the real world.
I am reminded of a saying that goes something like this: In theory, theory and reality match. In reality, they don't.
We're not Microsoft (Score:2)
Re: (Score:2)
And who do you propose do the work to support said software? The PHP folk 'only' support the last three major versions. Which will be 7.1, 7.2, and 7.3 come December. Support for 5.6 had already been extended for an extra year.
favor evolution over revolution! (Score:3)
Re: (Score:2)
Frameworks, languages should always provide a clear migration path and never jump major versions. Python, Zope, PHP, and many more learned that lesson in a hard way.
PHP has been deprecating things and giving warnings for years.
Re: (Score:2)
Re: (Score:2)
Support charge the answer? (Score:1)
Vendors (Score:2)
When your cloud provider only provides images for OS's that are two years or more out of date, and your OS vendor only provides packages for 4 year old versions of software, this is what happens.
It's even worse
azure and AWS need console so you can boot iso's (Score:2)
azure and AWS need console so you can boot iso's and other stuff like ESXI / QEMU / etc.
well then (Score:2)
We've been upgrading sites to PHP 7+ for awhile now.
Haven't been too many issues, as long as the CMS is reasonably up to date. When issues do arise, it's usually some old theme/template with too much functionality stuffed into it, or some obscure CMS plugin/addon.
The only constant is change itself, and all that ... hasn't been a huge deal.
Coding time BOMBs! (Score:2)
Version [Insert Version] of [Insert Coding Language Here] is a ticking time BOMB! Support for critical patches ends on [Insert Date Here] leaving customers with buggy and unpatched software which will be exploitable.
------
There, that should work as a template. Seriously, all software that is not actively maintained is at risk (and honestly all software being maintained has a certain level of risk to it as well). If I remember correctly you have reached the end of the software life cycle when there are no
error_reporting (Score:1)
Re:error_reporting (Score:5, Interesting)
That's true, unless the code uses the (LONG deprecated) mysql_* functions. Though even that is actually trivial to fix, since PHP7 supports built-in function overloading, and since good code will abstract database calls anyway, even switching to one of the newer DB methods should be pretty straightforward.
I maintain code that was actually written for PHP3/4. Migrating to PHP5 was frustrating, mostly because some of the the breaking changes involved REALLY basic stuff (they broke array indexing!), and weren't rolled out with the first version of PHP5, but came out in dribs and drabs in the point releases. Migrating to PHP7 is really not that bad by comparison, and PHP7 fixes most of the really bad warts in the language.
Granted this code was originally written almost exclusively by me, and I was/am a Perl/C programmer so the code looks more like C-style Perl than most PHP code.
PHP3 was *nasty* and I went into the project kicking and screaming, but I was part of a team that outvoted me. I wanted to write the thing in Perl. Almost 20 years later, the code still works, is maintainable/customizable, and the language itself is much less nasty than it was then.
Re: (Score:2)
I hope you're not seriously suggesting that ignoring errors is a solution.
Perl vs PHP! (Score:2)
I like the line about wanting to write in Perl because it is more elegant than PHP. Pot calling kettle black!
I use some PHP for my small site. Because it is there. Installed, ready to go on my basic hosting provider. Sure it is ugly. But not nearly as ugly as Java or .Net to configure for small sites.
And yes, I guard against SQL injection and Html injection.
redhat / centos needs up the version numbers (Score:2)
redhat / centos needs up the version numbers. The backpacking is ok but why not up them when they do 7.2 7.3 7.4 7.5 etc.
Happy to no longer care about PHP. (Score:1)
Python fight! [Re:Happy to no longer care about (Score:1)
Many keep saying Python is a notably better language than PHP, but most the time one is just calling API's and frameworks. One is not typically dealing heavily with core language aspects anyhow for run-of-the-mill CRUD and commerce apps. Or am I missing something? Thus a "better" core language doesn't mean much in practice. Other factors overshadow the difference.
Plus, PHP comes with more web-oriented libraries and features, because Python is designed to be a "general purpose" language, not a web language.
Re: (Score:2)
Many keep saying Python is a notably better language than PHP, but most the time one is just calling API's and frameworks. One is not typically dealing heavily with core language aspects anyhow for run-of-the-mill CRUD and commerce apps. Or am I missing something? Thus a "better" core language doesn't mean much in practice. Other factors overshadow the difference.
That would be a good point, except that a lot of the libraries of PHP are just as terribly designed as the core language. Especially the standard library of PHP is like an all-you-can-eat buffet of assorted bad practices. If you look at the famous article on just how bad PHP is (https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/) there's a whole section on just how awful the standard library is.
Plus, PHP comes with more web-oriented libraries and features, because Python is designed to be a "general purpose" language, not a web language. You can attach libraries to get Python more webby, but that often creates more dependencies than using the built in ones.
I'm not sure what being "webby" even means. Yes, you'll probably end up using some libraries outside of t
Re: (Score:1)
Re "fractally bad", all languages and non-trivial libraries have screwy annoyances, and sometimes bugs. You learn what they are and work around them.
No consequences at all (Score:2)
Unless the interpreter expires!
backware incompatible changes (Score:2)
Numbers could be betters if there were no backward incompatible change. Take the mysql module for instance, it would not have been difficult to provide it as a compatibility layer on top of mysqli. Same for apc and apcu.
Of course code can be migrated, but anything that increase the difficulty makes it more likely that an upgrade will not happen.
Re: (Score:2)
Piss off with your spam, Chuck.