!! Attention PHP Users and Developers !!

[xwisdom]

Hi,

What about windows plans? Will this change also affect windows servers?

__
xWisdom

[djlightning]

Quote:

Originally Posted by ixie02

A little off the subject, but is their something we can scan for in the code to make sure that apps we are considering using/installing or are using don't require that 'allow_url_fopen' be enabled?

If using Dreamweaver you can search for it Using the Find (CTRL + F) function.
If you have shell access on a Linux/Unix Server you can use GREP to find it. Read the GREP MAN Pages on how to do that.

On a side note.... an advance warning about this would have been nice to save face with customers.

[djlightning]

Found this little script, may help for a quick find.

Code:

<html>
<head><title>Site Grep Search-engine</title></head>
<body>
<p>
<form action="<?=$PHP_SELF;?>" method="post">
<input type="text" name="searchstr" value="<?php echo "$searchstr"; ?>" size="20" maxlength="30"/>
<input type="submit" value="Search!"/>
</form>
</p>
<?php
if ( ! empty( $searchstr ) ) {
// empty() is used to check if we've any search string
// if we do, call grep and display the results.
echo "<hr/>\n";
// call grep with case-insensitive search mode on all files
$cmdstr = "grep -i $searchstr *";
$fp = popen( $cmdstr, "r" ); // open the output of command as a pipe
$myresult = array(); // to hold my search results
while( $buffer = fgetss ( $fp, 4096 ) ) {
// grep returns in the format
// filename: line
// So, we use split() to split the data
list( $fname, $fline ) = split( ":", $buffer, 2 );
// we take only the first hit per file
if ( !defined( $myresult[$fname] ) )
$myresult[$fname] = $fline;
}
// we have results in a hash. lets walk through it & print it
if ( count( $myresult ) ) {
echo "<ol>\n";
while( list( $fname, $fline ) = each( $myresult ) )
echo "<li><a href=\"$fname\">$fname</a> : $fline </li>\n";
echo "</ol>\n";
} else {
// no hits
echo "Sorry. Search on <strong>$searchstr</strong>returned no results.<br/>\n";
}
pclose( $fp );
}
?>
</body>
</html>

[admin]

This change is unix only...

[mresell]

Yeah this sucks, but if it is that big a security problem...it needs immediate attention. In this case there are options. The SSH access being turned off with no options really was much worse. It is a security issue in the changing internet...all of which get more important everyday. Play up the immediate response to security issues as a plus. As a reseller you didn't create the security problem, but you can sure be proactive about it.

[Ram_Argid]

I support this change. I too would have liked a little more notice, but hey when you're being nailed you gotta do something. I guarantee you all would be screaming MUCH louder if your sites had been defaced by some miscreant.

Quote:

Originally Posted by admin

Might want to take that up with php, we did not make php and can't control how functions suchs as fopen work other than the options they give us. They offer us NO options to secure it.

It has been. How about upgrading to PHP 5. I know there are some issues with it, but you may want to consider bringing it up on a box and start integrating it for those who want to use it.

I for one would love to start developing for it on a couple projects right now and I intend to continue with Vortech for as long as I can see at this point.

[admin]

I think we will wait a bit longer for php5 but we have been testing it.

It still has some issues, we int he works for a new way for a bit more secure php as well on the unix side.

[daverozelle]

Quote:

Originally Posted by sheptech

FYI I had concerns about this affecting the downloads plugin of e107 - so far it does not as near as I can tell.

In case anyone cares, 3rd party apps I'm using that survive the change are:
e107 v0.616, v0.617 (includes core newsfeeds, downloads)
e107 plugins: Coppermine (current ver)
ZenCart v1.1.4d (oops!, need to update)

still looking into e107 plugin SimpleCart
fyi I don't use electronic delivery for anything in the carts.

I have been using e107 for years on a few sites. Everything I have is still up and running except the custom XML feed pages I had built. I will have to totally recode them now. Unfotunately for me, those handful of pages are the core product I provided and why I have those sites at all.

[ngcomputing]

Why not allow url fopens only above the document root? I really only use the function in conjunction (no pun intended) with a cron tab to fetch raw data from other sites in order to parse and merge data into a new html output file.

An example of what I do with this is fetch the doppler radar page from weather.com then fetch the 10 day outlook page from weather.com and merge them into a single output file. (of course, I do keep the weather.com logo and link back to their site - to respect legal issues using the content according to their EULA).

---

ngcomputing

[ngcomputing]

Rather than dealing with the hassle of curl and a work around, I figure it would be just easier to set up one of those "host your site for free accounts", use a remote fopen to pull the data from there, then have a cron to push the data over to a folder on your hsphere server.

[ngcomputing]

Quote:

Originally Posted by daverozelle

I have been using e107 for years on a few sites. Everything I have is still up and running except the custom XML feed pages I had built. I will have to totally recode them now. Unfotunately for me, those handful of pages are the core product I provided and why I have those sites at all.

Just thank God for OOP in PHP, this is where good planning can let you just redefine the class to fix an issue like this in a snap. (well almost)