Make your PHP scripts ready for PHP 5

Our departmental file server will soon be upgraded from PHP 4 to PHP 5.  Along with this chance, we are also changing several PHP configuration options.  This is mainly being done to increase the security of our servers and are in accordance with current recommended defaults.

To prepare for these changes, this document will guide you through the most likely changes that will need to be made to your code.  If you are using a third-party PHP application, it's highly recommended that you get the latest version from the vendor.  This will hopefully be all you need to do.  If you've written the application yourself or the application is no longer maintained, read on.

For a list of PHP 5-specific incompatibilities, please refer to this website:

http://www.php.net/manual/en/migration5.incompatible.php

Configuration Changes:

1. Short Open Tags: In early versions of PHP, you could start the PHP engine using the code "<?". It was short and sweet. However, this can cause problems with XML which uses the same symbol combination. You should now be using "<?php".
   
   // This will no longer work <? ?> // This is a short-hand echo statement that will no longer work with short open // tags turned off <?=$message ?> // This is the correct syntax <?php ?> // For echos <?php echo $message; ?>
2. Registered Globals: In the first versions of PHP, it was considered a convenience to have POST and GET variables get automatically registered as a local variable.  But it has become a big security risk as you don't know where that variable was originally set.  The following sample illustrates the problem and shows the correct way to handle external variables.
   
   // This is an example of why having register_globals turned on is bad // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } // With register_globals turned off, $authorized can't be set with a POST // or GET request
   
   This is how to properly use POST and GET variables:
   
   // Suppose a GET search.php?query=blah // This will no longer work if ($query) { // Do your query } // Instead, use $_GET. $_GET, $_POST, $_SESSION, $_SERVER, $_ENV and $_REQUEST are // 'super-globals' and are available everywhere (including functions and classes). // $_REQUEST contains the contents of $_GET, $_POST and $_COOKIE. if (isset($_GET['query']) AND $_GET['query']) { // Do your query } // It also affects some commonly used system variables // $DOCUMENT_ROOT is now $_SERVER['DOCUMENT_ROOT'] // $PHP_SELF is now $_SERVER['PHP_SELF']
3. Registered Long Arrays: Related to registered globals, registered long arrays was a way to access POST and GET information. The variables were $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, etc. You'll now need you use the 'super-globals' referenced above.
   
   // This will no longer work echo $HTTP_POST_VARS['username']; // Use this instead echo $_POST['username'];
4. Sessions using session_register: session_register does not work with register_globals turned off. To create and use session variables, you should be using $_SESSION.
   // An example of using session_register that no longer will work $username = 'myuser'; session_register('username'); // Instead, use $_SESSION $_SESSION['username'] = 'myuser'; // or this if $username is needed elsewhere in the script $username = 'myuser'; $_SESSION['username'] = $username
5. Allow URL fopen: A while back we were forced to disable allow_url_fopen for security concerns. Besides allowing fopen to access remote files, it also allowed require() and include() to access remote files. With PHP5, they have separated the settings for fopen() and require(). So fopen will be able to access remote files again.
6. Use Trans-SID: This setting allows session management by adding a string to the URL. This is a security risk as that session id could be passed by email. We are changing to the default of disabled, so it will no longer be available.

Finding Problems on Your Site

There are some steps you can take to test your site before we convert to PHP 5. All of the changes outlines on this page can be made now and will work with both PHP 4 and PHP 5.

To help identify potential problems, here are some commands you can run. These must be run from a unix shell (using ssh) from the base of your web directory and they return the names of the files that might need fixed.

To find files using registered long arrays:
find . \( -name "*.php" -o -name "*.inc" \) -print0 | xargs -0 egrep -l "HTTP_(.*)_VARS"

To find files using short open tags:
find . \( -name "*.php" -o -name "*.inc" \) -print0 | xargs -0 grep -il "<?[^px]"

To find files using session_register:
find . \( -name "*.php" -o -name "*.inc" \) -print0 | xargs -0 grep -il "session_register"

Testing Your Site

You can actually view your site using PHP 5 by making a small change to your local computer. It will make your computer connect to the new server when you go to the URL of your website.

To test, you can edit your hosts file and add the IP address of the new server (128.193.40.35) for each host you want to test:

On linux and mac (and solaris, etc), the file is /etc/hosts.
On Windows, it's c:\windows\system32\drivers\etc\hosts

Add this line to the file for each web host you want to test. If you wanted to test the website engr.oregonstate.edu, you'd use this:

128.193.40.35    engr.oregonstate.edu

You shouldn't need to restart the machine, but you may need to restart your web browser

Related Articles:

Setup a personal wiki
Use SQLite with PHP
Using .htaccess
Use PHP In your ENGR web pages

Article Information:

Date Created: Jun 05, 2008
Last Modified: Sun, Jun 22, 2008 9:49 PM
Views: 291