[vox-tech] Risks of upgrading past CentOS 6 supported PHP 5.4?

Dr. Larry Ozeran lozeran at clinicalinformatics.com
Thu Jun 2 17:42:57 PDT 2016


Rick, thanks again for your insights.

You are, of course, correct that we would not redesign our software 
without a significant and deep assessment of benefits and costs (money, 
time, resources, etc.). Most of the PHP, MySQL, and related code has 
been developed in house. I probably coded 10-15% myself. The intent of 
my comment was simply to indicate that we do not blindly accept that 
there is no better option than what we are doing. If there are strong 
arguments to support considering making a switch, I would not exclude 
that possibility without reviewing the pros and cons simply because we 
have a large legacy investment. I consider your response (below) to fall 
into the 'cons' (to switching) category and will definitely compare your 
PHP security recommendations against what we currently are and are not 
doing.

Thanks,

Dr. Larry Ozeran
President, Clinical Informatics, Inc.
(530) 671-9244

On 6/2/2016 07:02, Rick Moen wrote:
> Quoting Dr. Larry Ozeran (lozeran at clinicalinformatics.com):
>
>> Since we are serving data that can change every few minutes, we
>> can't move to static pages. Since we are providing that data to
>> users from multiple originating sources, we pretty much have to be
>> internet-facing. We have put security procedures in place, but I
>> know that security is more an ongoing process than an endpoint and
>> there is always more that will need to be done. If there is a better
>> way to meet the needs of users other than MySQL+PHP, I am always
>> open to new ideas.
> Meaning no criticism, I notice in looking upthread
> (http://lists.lugod.org/pipermail/vox-tech/2016-May/017013.html) that
> you mention only that your use-case involves PHP-served pages, but not
> what drives that particular choice of software.
>
> Sometimes, a local site uses PHP because it runs developed software
> resting on the PHP interpreter, e.g. Wordpress, MediaWiki, etc.
> Other times, that choice resulted from 'Data for each page must be
> pulled on a per-visit basis from MySQL, therefore some HTTP-invoked
> process must do a SQL query and assemble page contents and we happened
> to use PHP to do that because our Web guy knew how to do that.'  And
> I'm sure there are other scenarios -- but dynamic is not synomyous with
> PHP in any event.
>
> Irrespective of how you arrived at that choice, obviously you would not
> lightly decide to rearchitect.
>
> A number of guides to tigthening PHP security to reduce risk exist and
> may be useful.  My own modest effort, last updated when PHP5 was new, is
> here:  'PHP Security' on http://linuxmafia.com/kb/Web/ .
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech



More information about the vox-tech mailing list