Academic Technology

Skip to Content

Grove

Grove Now Uses PHP5

Converting Your Website

Compiled-in Modules

Security Tips

PHP Changes on Grove

Grove Now Uses PHP5

As you may know, The PHP Group discontinued support for PHP4 on the 31st of December, 2007. Bugfixes, and in particular security bugfixes will no longer be produced.

There was already an attempt underway to upgrade the old grove system from PHP4 to PHP5. Plans included making a smooth migration path available, but circumstances have forced us to move faster than that. Accordingly, on the new grove, only PHP5 is available.

Converting Your Website

For those who downloaded packages based on PHP4, the simplest course is probably to download a more recent version of the same package.

For those who are coding their own PHP, The PHP Group has some information, including a migration guide. This guide will warn you that MySQL support has been moved to a module. This module is in the PHP on the new grove.

On the new grove, mod_php processes cannot write into users' home directories. If you want your visitors to upload content, you will need to use a database.

Compiled-in Modules on the New Grove

To see a list of all the compiled-in modules, ssh to ssh.grove.ufl.edu and type php -m at the command prompt.

Security Tips

Never Trust User Input

Every day, we see attempted attacks on grove web sites. Many of those are injection attacks on PHP pages. You must assume that some of the visitors to your site will attempt to subvert it.

Anything in $_COOKIE, $_ENV, $_GET, $_POST or the like has to be sanitized. If you have a fixed list of valid values for a variable you can just compare what the user supplied against that list. For arbitrary input, think about what characters are legitimate and only allow those. For instance, if you only want alphanumerics (A-Z, a-z, 0-9) in $page, you can write

$page = $_GET['page'];
$page = preg_replace("/[^a-zA-Z0-9]/", "", $page);

This compares each character against the set of alphanumerics. Anything not in that set is squeezed out.

Don't Output HTML That You Haven't Generated Yourself

If your site allows user postings in which the user can type in tags like <b> for emphasis, they can probably type in tags like <script type="text/javascript"> and launch a cross-site scripting (XSS) attack. PHP includes several quoting and escaping functions. One of them is htmlentities().

Assume you have a variable, $text, that cannot be proven to be free of HTML markup, but needs to be displayed safely. Directly outputting that variable would cause the browser to execute whatever markup is in it (dangerous). The following will cause the browser to merely display it instead (safer):

$encoded_text = htmlentities($text);
echo $encoded_text;