[vox-tech] Risks of upgrading past CentOS 6 supported PHP 5.4?

[Rick Moen]

Quoting Dr. Larry Ozeran (lozeran at clinicalinformatics.com):

> Since we are serving data that can change every few minutes, we
> can't move to static pages. Since we are providing that data to
> users from multiple originating sources, we pretty much have to be
> internet-facing. We have put security procedures in place, but I
> know that security is more an ongoing process than an endpoint and
> there is always more that will need to be done. If there is a better
> way to meet the needs of users other than MySQL+PHP, I am always
> open to new ideas.

Meaning no criticism, I notice in looking upthread
(http://lists.lugod.org/pipermail/vox-tech/2016-May/017013.html) that 
you mention only that your use-case involves PHP-served pages, but not
what drives that particular choice of software.

Sometimes, a local site uses PHP because it runs developed software
resting on the PHP interpreter, e.g. Wordpress, MediaWiki, etc.  
Other times, that choice resulted from 'Data for each page must be
pulled on a per-visit basis from MySQL, therefore some HTTP-invoked
process must do a SQL query and assemble page contents and we happened
to use PHP to do that because our Web guy knew how to do that.'  And
I'm sure there are other scenarios -- but dynamic is not synomyous with
PHP in any event.

Irrespective of how you arrived at that choice, obviously you would not
lightly decide to rearchitect.

A number of guides to tigthening PHP security to reduce risk exist and
may be useful.  My own modest effort, last updated when PHP5 was new, is
here:  'PHP Security' on http://linuxmafia.com/kb/Web/ .