[vox-tech] Risks of upgrading past CentOS 6 supported PHP 5.4?

Dr. Larry Ozeran lozeran at clinicalinformatics.com
Thu Jun 2 05:39:24 PDT 2016 

Thanks Rick. Good information is always appreciated.

Since we are serving data that can change every few minutes, we can't 
move to static pages. Since we are providing that data to users from 
multiple originating sources, we pretty much have to be internet-facing. 
We have put security procedures in place, but I know that security is 
more an ongoing process than an endpoint and there is always more that 
will need to be done. If there is a better way to meet the needs of 
users other than MySQL+PHP, I am always open to new ideas.

Thanks,

Dr. Larry Ozeran
President, Clinical Informatics, Inc.
(530) 671-9244

On 6/2/2016 00:41, Rick Moen wrote:
> Quoting Bill Broadley (bill at broadley.org):
>
>>> Does anyone know any downsides to using the webtatic PHP packages on
>>> CentOS 6?
>> I've seen many machines with ugly configurations related to cpanel,
>> custom php installs (sometimes more than one), and fragile very hard
>> to reproduce apache configurations.
>>
>> Although I guess I shouldn't complain, they get hacked and I get consulting.
> (Sadly, this won't answer Dr. Ozeran's question, either:)
>
> I've lately come to the conclusion, from many years as a Linux server
> admin, that PHP is tolerable on a Unix machine _provided_ it isn't ever
> exposed to public networks, because the ongoing security nightmare is
> otherwise not justifiable.  I mean, yes if management is paying you to
> do it and the money's good, but if you're the boss, say 'Hell no.'
>
> So, e.g., every Web page on my linuxmafia.com server that used to be
> dymanically assembled by the PHP interpreter at Apache page-load time
> are (more recently) instead built on-disk in advance using automake or a
> cron script.  Fortunately, none of those pages needed to _actually_ be
> dynamic; it was just coder laziness that chose that implementation.
>
> For example, the coder who helped me convert BALE
> (http://linuxmafia.com/bale/) from its original mid-1990s static HTML
> incarnation to PHP + MySQL set it up so every page load assembles the
> page anew, from several PHP fragments plus the results of a MySQL query
> (furnishing the events rows).  When I realised the underlying reality of
> this being static data changing only once on the 1st of each month, I
> converted it into a static HTML page generated by a cron job in
> /etc/cron.monthly/ , and then Apache serves up just that static file.
>
> Whole huge categories of security threat have completely away for good,
> when I ditched runtime PHP.
>
> If I had any Web applications that actually relied on the PHP
> interpreter at load time, I'd try really hard to ditch them.  It really
> is IMO that bad.
>
> And I say that because, so to speak, Ranum is my guru:
> http://www.ranum.com/security/computer_security/editorials/master-tzu/
>
> That having been said:  Dr. Ozeran, I know of nothing against the
> Webtatic repo's PHP packages.  It seems like a competent external repo
> for CentOS/RHEL, though I have no relevant experience.  Hope that helps!
>
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

More information about the vox-tech mailing list