Jump to content

Support Newer Php Versions


velaware

Recommended Posts

Yes, you MUST overwrite these files when upgrading. Every single time.

 

Also, to clarify, the hotfix can be applied to PHP 5.4 or PHP 5.5. The standard distribution will work from PHP 5.1-5.4, so it's not necessary to apply the hotfix to PHP 5.4, but you can. Also, there are 3 files, not 2 that are encoded. If you are only seeing 2, you may be looking at a patch where there was no change. Every major or minor release will have all 3 of the files.

 

 

For the HotFix, why dont you do a function that check for PHP Version or ioncube echo error, and if it detectect  the error or php version 5.5+ it auto renames or move the Patch Files? this way you dont have to include extra instructions to install/upgrade blesta to support php5.5 :)

Link to comment
Share on other sites

For the HotFix, why dont you do a function that check for PHP Version or ioncube echo error, and if it detectect  the error or php version 5.5+ it auto renames or move the Patch Files? this way you dont have to include extra instructions to install/upgrade blesta to support php5.5 :)

 

 

this can cause probleme when client downgrade php .... but i prefer the idea to make the two class in loader/models/licence (php) , one for normal and other for php 5.5 , is like a silent work .

Link to comment
Share on other sites

Blesta is a billing platform, not something installed in a shared hosting environment, so +1 for PHP 5.6 support next year. 5.3 is EOL already and much slower than 5.6 which brought many security enhancements.

 

Also, HHVM compatibility would be great :)

Exactlly ,that was also my point about blesta hostin environment,  but nothing stop you or enyone else to use 5.4 or 5.5 right now ,for 5.5 just use hotfix file ,they talked about minimal php version supported by blesta.

Link to comment
Share on other sites

Exactlly ,that was also my point about blesta hostin environment,  but nothing stop you or enyone else to use 5.4 or 5.5 right now ,for 5.5 just use hotfix file ,they talked about minimal php version supported by blesta.

But if they set the minimum at 5.3, then they can't use all the new security settings without adding backward compatible functions.
Link to comment
Share on other sites

To be fair Blesta, from what I can gather, doesn't use stream wrappers anyways, thus the dependency on cURL on install.  So, they won't benefit any from that regardless.

True, and the fact that they use a crypto lib means that we should get the new mcrypt settings and they don't have to write the backward compatibility code.
Link to comment
Share on other sites

  • 2 weeks later...

Regarding dropping support for PHP < 5.3. I have been for this since 3.0.0-a1 back in November 2012. The problem was at that time, more than 60% of all servers were still running 5.2 or lower.

Today, sadly, there are still 25% of servers running PHP 5.2 or lower.

 

Why have people been so slow to adopt PHP 5.3? Well, I suspect it has something to do with the fact that RHEL and CentOS are so incredibly slow to adopt new packages, coupled with the fact that most hosts don't keep servers up to date.

 

In an ideal world, everyone would be running the latest version of PHP (5.6 today), but that's just not reality, and for us to shut off support for 5.2 and lower prematurely would hurt a lot of people. We always recommend installing Blesta using separation of concerns (1 server/VPS per role = minimum 3 servers/VPS [1 DB, 1 web, 1 mail]), but reality is there are tons of people that have Blesta installed in a shared environment.

 

As Paul said, we'll be making 5.3 the minimum soon, as we now feel comfortable with the statistical usage of 5.3+.

Link to comment
Share on other sites

Regarding dropping support for PHP < 5.3. I have been for this since 3.0.0-a1 back in November 2012. The problem was at that time, more than 60% of all servers were still running 5.2 or lower.

Today, sadly, there are still 25% of servers running PHP 5.2 or lower.

 

Why have people been so slow to adopt PHP 5.3? Well, I suspect it has something to do with the fact that RHEL and CentOS are so incredibly slow to adopt new packages, coupled with the fact that most hosts don't keep servers up to date.

 

In an ideal world, everyone would be running the latest version of PHP (5.6 today), but that's just not reality, and for us to shut off support for 5.2 and lower prematurely would hurt a lot of people. We always recommend installing Blesta using separation of concerns (1 server/VPS per role = minimum 3 servers/VPS [1 DB, 1 web, 1 mail]), but reality is there are tons of people that have Blesta installed in a shared environment.

 

As Paul said, we'll be making 5.3 the minimum soon, as we now feel comfortable with the statistical usage of 5.3+.

 

 

CloudLinux/BetterLinux/Interworx help's this problem, because we can choose what verion of PHP to use without affecting all server :)

 

I Dont think shutting down 5.2 will hurt, and you can this way foward like the outhers billing competitors. (you know what Im talking about, the "outher" that will be required next release PHP 5.3.7 minimum, and MySQL 5.1)

 

I can also say, only Blesta uses as minimum < PHP 5.3, all outher are using => PHP 5.3 so Blesta cannot stay this way ;)

Link to comment
Share on other sites

Regarding dropping support for PHP < 5.3. I have been for this since 3.0.0-a1 back in November 2012. The problem was at that time, more than 60% of all servers were still running 5.2 or lower.

Today, sadly, there are still 25% of servers running PHP 5.2 or lower.

 

Why have people been so slow to adopt PHP 5.3? Well, I suspect it has something to do with the fact that RHEL and CentOS are so incredibly slow to adopt new packages, coupled with the fact that most hosts don't keep servers up to date.

 

In an ideal world, everyone would be running the latest version of PHP (5.6 today), but that's just not reality, and for us to shut off support for 5.2 and lower prematurely would hurt a lot of people. We always recommend installing Blesta using separation of concerns (1 server/VPS per role = minimum 3 servers/VPS [1 DB, 1 web, 1 mail]), but reality is there are tons of people that have Blesta installed in a shared environment.

 

As Paul said, we'll be making 5.3 the minimum soon, as we now feel comfortable with the statistical usage of 5.3+.

 

Do you have statistics for Blesta users? I assume you collect them via the license revalidation but if not then maybe you should. I suspect there would be a lot less Blesta servers running 5.2 or lower compared to other servers. Also a lot of the users on older PHP versions probably haven't upgraded just because their version was still supported. If you force them to upgrade I don't think many users would have problems.

Link to comment
Share on other sites

Stats on existing users don't necessarily correlate to potential customers, which is obviously the biggest concern when operating a business.

 

To take an extreme look at it, we could make PHP 5.6 the minimum, and yes some people would be fine, others could upgrade, but we would receive almost 0 new business.

 

 

Just require a minimum, like PHP 5.3.X for now, and next year change to minimum 5.4.X etc.. I think this way you will get positive feedback :)

 

The problem is PHP 5.1.X is more unsecure then > 5.2.x etc..

 

For me personaly dont hurt using PHP 5.1.x as minimum, but for more tecnical cases it will be a decision maker using a so outdated minimum version :)

 

People what Security first, this days, so they dont mind using a seperated VPS or Server to install the minimum required PHP version to install Blesta.

 

If I have buy Blesta today, and Blesta tell my that it needs PHP 5.6 minimum, Id prepare a server or vps or hoting account with the minimum of PHP 5.6 because is more secure.

 

Just post on Blesta features and advantages, that the requirement of using a PHP 5.x.x is because is more secure then outhers.

 

Just for the fun: Make a video in billingbrawl.com, comparing PHP minimum requirements. Who will win this time? :P think about it :D

Link to comment
Share on other sites

Just require a minimum, like PHP 5.3.X for now, and next year change to minimum 5.4.X etc.. I think this way you will get positive feedback :)

 

The problem is PHP 5.1.X is more unsecure then > 5.2.x etc..

 

For me personaly dont hurt using PHP 5.1.x as minimum, but for more tecnical cases it will be a decision maker using a so outdated minimum version :)

 

People what Security first, this days, so they dont mind using a seperated VPS or Server to install the minimum required PHP version to install Blesta.

 

If I have buy Blesta today, and Blesta tell my that it needs PHP 5.6 minimum, Id prepare a server or vps or hoting account with the minimum of PHP 5.6 because is more secure.

 

Just post on Blesta features and advantages, that the requirement of using a PHP 5.x.x is because is more secure then outhers.

 

Just for the fun: Make a video in billingbrawl.com, comparing PHP minimum requirements. Who will win this time? :P think about it :D

 

1 out of thousands, the thing is not everyone wants to upgrade, I've upgraded MySQL & InnoDB default (Should be stabler) before and had too many issues than I can think of. So I wouldn't use that if it was the last on earth until I was sure and 10000% sure it was fine.

Link to comment
Share on other sites

1 out of thousands, the thing is not everyone wants to upgrade, I've upgraded MySQL & InnoDB default (Should be stabler) before and had too many issues than I can think of. So I wouldn't use that if it was the last on earth until I was sure and 10000% sure it was fine.

Im talking about PHP and not MySQL, the MySQL is anouther story a bit more complicated because of characteres map storing :)

Also using Interworx you can in one click change PHP version on the fly without breaking anything ;)

Link to comment
Share on other sites

Im talking about PHP and not MySQL, the MySQL is anouther story a bit more complicated because of characteres map storing :)

Also using Interworx you can in one click change PHP version on the fly without breaking anything ;)

 

What's the difference between MySQL and PHP? They both are languages which can be insecure at any time, and you can if you use CloudLinux PHP Selector but hey I dont :)

Link to comment
Share on other sites

What's the difference between MySQL and PHP? They both are languages which can be insecure at any time, and you can if you use CloudLinux PHP Selector but hey I dont :)

 

 

Think this way:

 

1º- Who uses a sofisticated automated billing system Like Blesta?

Re: IT's Managers, Hosting Companies, DataCenters.

 

2º- Who the hell on point 1º dont want to use a stable, up to date PHP and/or MySQL Version, even if they dont use CloudLinux, Interworx or outher?

Re: No one, only none professional buisness or kidies that dont know how to really manage an Hosting buisness want that.

 

There is no reason that you can tell me to convice me to use an outdated PHP and/or MySQL version ;) We do professional buisness, dont you? :)

 

Everithing is unsecure, I repeat, everithing, even latest PHP 5.6 or MySQL Latest, but if you use the 

 

A person that buy Blesta, is a person consern with client data, so it has to use security to prevent future problems :)

 

Im not telling this to you to get me rong, just to make a point :P

Link to comment
Share on other sites

Think this way:

 

1º- Who uses a sofisticated automated billing system Like Blesta?

Re: IT's Managers, Hosting Companies, DataCenters.

 

2º- Who the hell on point 1º dont want to use a stable, up to date PHP and/or MySQL Version, even if they dont use CloudLinux, Interworx or outher?

Re: No one, only none professional buisness or kidies that dont know how to really manage an Hosting buisness want that.

 

There is no reason that you can tell me to convice me to use an outdated PHP and/or MySQL version ;) We do professional buisness, dont you? :)

 

Everithing is unsecure, I repeat, everithing, even latest PHP 5.6 or MySQL Latest, but if you use the 

 

A person that buy Blesta, is a person consern with client data, so it has to use security to prevent future problems :)

 

Im not telling this to you to get me rong, just to make a point :P

Right, and who uses Centos, Ubuntu etc and what happens... BASH Security... now was you using the latest one? I bet you was... now tell me everything is secure with the latest stuff.. not everyone wants to use the newest PHP or MySQL. Not everyone wants to jump head first in the deep end. Look at all the WHM** fans out there using inseucre software, and they are all webhosts and professionals too. And even some of them don't jump head first to the newest *Secure* version.

Link to comment
Share on other sites

Think this way:

 

1º- Who uses a sofisticated automated billing system Like Blesta?

Re: IT's Managers, Hosting Companies, DataCenters.

 

2º- Who the hell on point 1º dont want to use a stable, up to date PHP and/or MySQL Version, even if they dont use CloudLinux, Interworx or outher?

Re: No one, only none professional buisness or kidies that dont know how to really manage an Hosting buisness want that.

 

There is no reason that you can tell me to convice me to use an outdated PHP and/or MySQL version ;) We do professional buisness, dont you? :)

 

Everithing is unsecure, I repeat, everithing, even latest PHP 5.6 or MySQL Latest, but if you use the 

 

A person that buy Blesta, is a person consern with client data, so it has to use security to prevent future problems :)

 

Im not telling this to you to get me rong, just to make a point :P

Completely agree, that was my point earlier, but I understand Blesta wanting to reach a maximum number of potential of customers and at the end of the day, it's more about secure coding practices.

 

Right, and who uses Centos, Ubuntu etc and what happens... BASH Security... now was you using the latest one? I bet you was... now tell me everything is secure with the latest stuff.. not everyone wants to use the newest PHP or MySQL. Not everyone wants to jump head first in the deep end. Look at all the WHM** fans out there using inseucre software, and they are all webhosts and professionals too. And even some of them don't jump head first to the newest *Secure* version.

 

It's all about reducing your attack surface and indeed, upgrading to PHP 5.6 days after its release is non-sense. It requires more testing, debugging, etc. 

Imagine that you have to write twice as much code or rely on twice the libraries because older versions have problems. It's a lot more code to audit. 

Link to comment
Share on other sites

Completely agree, that was my point earlier, but I understand Blesta wanting to reach a maximum number of potential of customers and at the end of the day, it's more about secure coding practices.

 

 

It's all about reducing your attack surface and indeed, upgrading to PHP 5.6 days after its release is non-sense. It requires more testing, debugging, etc. 

Imagine that you have to write twice as much code or rely on twice the libraries because older versions have problems. It's a lot more code to audit. 

 

The thing is not everyone wants to jump to the newest stuff. 5.4 yes, 5.5 no, 5.6 no. When 5.4 is getting near end of life sure, 5.5 but there's no point forcing everyone to be sheep and server stuff is not always secure. We've had HeartBleed, Bash exploits, what's next?

Link to comment
Share on other sites

The thing is not everyone wants to jump to the newest stuff. 5.4 yes, 5.5 no, 5.6 no. When 5.4 is getting near end of life sure, 5.5 but there's no point forcing everyone to be sheep and server stuff is not always secure. We've had HeartBleed, Bash exploits, what's next?

That's exactly PHP's problem (and Microsoft's too :D

Link to comment
Share on other sites

Everyone *should* keep their software updated and a lot of hosting companies do make the effort. Still, there are many smaller hosting companies that don't. Much of the market consists of smaller hosting providers that have reseller accounts from larger hosting providers. Fortunately, the majority of them are now running PHP 5.3+, hence the pending minimum requirements bump. :)

Link to comment
Share on other sites

The thing is not everyone wants to jump to the newest stuff. 5.4 yes, 5.5 no, 5.6 no. When 5.4 is getting near end of life sure, 5.5 but there's no point forcing everyone to be sheep and server stuff is not always secure. We've had HeartBleed, Bash exploits, what's next?

 

 

@ Licensecart:

 

Trying to refrase it again to make "the point" :D

 

Anyone that install Blesta, has the professional obligation to use a separeted VPS or Dedicated Server or Isolated Hosting Enviorment to be able to secure data and use the latest stable PHP and MySQL and outher security measures. (wen i talk latest stable, im not talking about PHP 5.5 or PHP 5.6, but at the minimum the PHP 5.3, and not PHP 5.1 or PHP 5.2 that are very insecure comparing with the new ones)

 

Or you are you trying to say that you have Blesta installed on a none VPS, none Dedicated Server or none Isolated Enviorment that you cant install/activate the latest satable PHP and MySQL?

 

Blesta or any outher billing sistem has to be isolated from the rest of the buisness or data is more insecure, and is our responsability to have it secured enough :)

 

For exemple, if you have a main web site and Blesta, if the main website is for exemple a popular CMS (Wordpress, Joomla, outher), and the CMS dosent work correctly on PHP => 5.3, then you have to update your CMS or at least put the CMS in anouther enviorment to able to Blesta be installed with the minimum PHP requirements.

 

 

@Paul, @Tyson, @Cody:

 

Please update the minimum PHP requirement (PHP => 5.3) or the competitours and jealous clients will use that argument to attack Blesta Security.

 

Blesta is known to be the most, clean, secure, and stable, we have to continue to fight to be the best of best and not loose any reputation :P

 

Is just my opinion ;)

Link to comment
Share on other sites

Yes they have a choice if they want to, but why should you FORCE them to do it? Why should anyone tell you that you have to do something? Why should Blesta be the law of how people want to run their own business? You have to have the latest PHP because hey you should be using the latest technology.. How many people do you think Blesta would loose if they did that?

Link to comment
Share on other sites

Yes they have a choice if they want to, but why should you FORCE them to do it? Why should anyone tell you that you have to do something? Why should Blesta be the law of how people want to run their own business? You have to have the latest PHP because hey you should be using the latest technology.. How many people do you think Blesta would loose if they did that?

For the same reasons there are rules like PCI-DSS, FIPS and many more for some regulated industries, but we haven't reached the point where collecting customer data is deemed a major responsibility. In the UK though, you get fined if you leak data, so better be safe than sorry. I've seen so many companies leak personal information, simply because they think the script they've found on an abandoned forum used on that cheap host is good enough to run their business. As always with security though, you have to look at the bog picture, and the environment is one of the components.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...